On your to do list of jobs relating to technology, it’s likely that the issue of compliance around security is probably some way down the list. But it’s an important job – and one worth setting aside some time to grapple with.
So where do you start? Most definitely with a trip to the Information Commissioner’s Office website in the UK.
In its most recent annual report the ICO states:
“It’s our job to make the difficult calls. How to square privacy, security and efficiency – in the public interest?
Developments in technology, business and government face the ICO with judgements like these every week. New applications, new services, and a new government seeking efficiencies through greater transparency, accountability and data sharing. How can we gain the benefits of new digital opportunities while managing the risks?”
It sounds pretty innocuous but the ICO is a regulator with a bite – and the commissioner has the power to fine companies up to £500,000 for data security breaches.
At the end of 2010 ICO fined its first two monetary penalties against the employment services company A4e and Hertfordshire County Council for serious breaches of the Data Protection Act.
A4E was fined £60,000 when an unencrypted laptop was stolen from an employee’s home that contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
So even a theft – something beyond the control of almost everyone can lead to hefty fines if security protocols aren’t put in place around your IT equipment and databases.
So where should an SMB start, especially given the fact most small companies don’t have IT security specialists on the payroll?
The first is a question you must ask yourself – does my company handle personal information about individuals? If so it has a number of legal obligations to protect that information under the Data Protection Act 1998.
Under the Data Protection Act, you must:
- only collect information that you need for a specific purpose;
- keep it secure;
- ensure it is relevant and up to date;
- only hold as much as you need, and only for as long as you need it; and
- allow the subject of the information to see it on request.
The ICO has an excellent series of guides for “privacy by design” – steps to ensure privacy and security is built into your IT practices.
And there’s an excellent check list too for small businesses. Here’s the section on keeping personal information secure:
Do your staff know:
- to keep passwords secure – change regularly, no sharing?
- to lock / log off computers when away from their desks?
- to dispose of confidential paper waste securely by shredding?
- to prevent virus attacks by taking care when opening emails and attachments or visiting new websites?
- about working on a ‘clear desk’ basis – by securely storing hard copy personal information when it is not being used?
- that visitors should be signed in and out of the premises, or accompanied in areas normally restricted to staff?
- about positioning computer screens away from windows to prevent accidental disclosures of personal information?
- to encrypt personal information that is being taken out of the office if it would cause damage or distress if lost or stolen?
- to keep back-ups of information?
Finally, what can lead to such large fines? Well, it’s a sobering answer:
“The Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it”.