A recent report by Six Degrees Group (6DG) revealed that more than half of Local Authorities (LAs) in the UK have suffered a breach of 'official' data in the last two years. 6DG also found that 60% of LAs didn't know how much sensitive 'official' data they were holding or where it was kept.
However these issues are not unique to LAs. Data protection breaches have also been reported in police forces and other public sector organisations. The situation appears to have been exacerbated by the introduction of new security classification guidelines in 2014 by CESG (the Information Security arm of GCHQ), which replaced the Impact Level (IL) ratings.
The guidelines were intended to simplify the classification system. But in practice, mapping from the IL ratings to the new classifications of 'official', 'secret' and 'top secret' has proved confusing.
Within each classification there will be a wide range of information of varying sensitivity, with different consequences in the event of a breach. Some information will be personal data and caught by the provisions of the Data Protection Act 1998 (DPA) while other information may be confidential but not contain personal information. To minimise the risk of a data breach, it’s important for public sector organisations to understand the value and sensitivity of their information in order to make risk management decisions.
So, what are the legal obligations in relation to data security and what practical steps can be taken to avoid a security breach?
Data controllers are required under the DPA to take "appropriate technical and organisational measures" to prevent unauthorised or unlawful access to personal data, accidental loss of personal data and destruction or damage to personal data.
The appropriate level of security will depend on the nature of the data to be protected and the harm that could result in the event of unlawful processing, accidental loss or damage. The DPA recognises that it may not be necessary or feasible to use state of the art technology in all cases. Instead, data controllers should weigh up the state of technological developments with the costs of implementation.
Regardless of whether or not the data held is personal, consideration needs to be given as to what policies, processes and training should be put in place to ensure that employees and contractors are able to manage information risks. This includes:
1. Security audits
To assess security risks, it's vital to have an understanding of how data is obtained, used and shared within and outside the organisation. The 6DG report highlighted that many LAs do not conduct security audits on a regular basis, and in fact, 45% of LAs haven’t recorded whether a security audit had taken place in the last two years. This is an essential step to ensure that the risks are understood and security can be designed to fit the type of data held.
2. IT and security controls
Security should be integral to the design and implementation of IT systems. Risk-informed security controls should be put in place to mitigate threats and protect against malicious behaviour.
Physical security, such as swipe cards and locked cabinets, should be considered as well as technical controls, for example, restricting access to personal data to senior employees.
The ICO has warned that enforcement action will be pursued if encryption software has not been used to protect personal data. Guidance is available on the ICO website on encryption, together with a list of data security tips.
The following key policies should be reviewed on a regular basis:
It’s vital that employees receive training on how to keep data secure as well as on the disclosure of data to other public bodies and within the organisation itself. An audit trail should be kept of all training so that accurate records can be produced in the event of a breach or an investigation by the ICO.
5. Data processor vetting
When selecting third parties to process data, it’s important to ensure that they also have adequate technical and organisational security measures in place to protect personal data. The data processor must enter into a written contract with the data controller and agree to comply with obligations equivalent to those imposed on the data controller.
If a breach does occur, despite the technical and organisational measures in place, it’s crucial to manage and respond to it effectively. The ICO has published guidance for organisations to help them decide on the appropriate course of action. A security breach team should be assembled to investigate the nature of the breach and take action to stop the breach continuing or recurring.
Although there is currently no express obligation in the DPA to notify the Information Commissioner in the event of a personal data security breach, the position is due to change when the new Data Protection Regulation is introduced. Organisations that suffer a breach of personal data will have a legal obligation to notify the regulator without undue delay. In addition, fines for data protection breaches will be substantially increased.
With the new Data Protection Regulation on the horizon and the new Network & Information Security Directive to contend with, it’s more important than ever that all public sector organisations review their data security on an ongoing basis, ensuring that they stay in line with the changes to the law.
If you would like any further information or advice on a data security issue, please contact Alison Deighton on +44 (0)333 006 0160.
Contributor: Emily Holdsworth
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions.