Millions of data files are transmitted weekly to various third party providers from payroll, billing to files containing names and addresses to companies whose services range from print and mailing, data cleansing, marketing services and social media often without any consideration as to what might happen if that data got misplaced, misappropriated or worse still fell into the wrong hands.
We take for granted that the security of our information is just that ‘secure’.
How valuable is your personal and company data to others?
The most obvious way that data is used is through highly personalised and targeted marketing for the intention of making us buy like I’ve alluded to in previous blogs your internet browsing habits can determine what pop up ads you are likely to see when you are searching on the internet.
We are only human and susceptible to making mistakes like leaving important documents in public places as I mentioned in this earlier blog.
The same principle is applied when data is managed either internally or externally.
The data protection act of 1998 and it’s subsequent update in 2007 was designed to ensure that information held by any party or organisation should be done so by following principle 7 that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”
What that means in practice is that the data you hold has the appropriate level of security to prevent it being lost or compromised.
What the act does not specify or define is the security measures you should have in place. Certain industries will have specific standards imposed on them by their regulatory body.
The security measures you put in place as a business will depend on what you do and your circumstances.
Physical and technological security is vital in any business and dependent on the size and number of employees will determine whether information and document management policies are put in place so employees are aware of security and its importance within the organisation.
Generally it is good practice to identify a person or department who takes day to day responsibility for security measures.
Technical security of laptops and PCs to protect computerised information are important but often security issues are as result of the theft or loss of equipment or old PCs being abandoned leaving the hard drive in tact or hard copy records being disposed of carelessly.
Physical security relates to how secure your office premises are, doors, locks, alarms, CCTV, security lighting and how you control access to your premises.
How do I know if my information is secure?
The act says that you should have security that is:-
- appropriate to the nature of information in question
- the harm that might result from it’s improper use, or from its accidental loss or destruction.
Again the act doesn’t define ‘appropriate’ nor does it state you must have state of the art security to protect personal data but common sense should prevail and a regular overview of your security arrangements as technology advances is a good thing.
Everyday we talk to our customers, we hold details in a customer relationship database you may think that this doesn’t match the criteria of principle 7 but in some respects it does because those details will no doubt include birthdays, spouse’s name, kids names, where they went on holiday what their hobbies are, connections on social media and so on.
All of which is relevant to you and is part of your marketing process of managing and nurturing the customer but this is private and personal data you hold.
More importantly you are holding information that you intend to use to communicate your products and services.
The question you need to ask yourself is what would happen if this information was compromised?
If the hairs on the back of your neck go up at the thought then you need to ask yourself have you taken the necessary steps to ensure that principle 7 is adhered to, if you can then all well and good.
What does information security mean when it comes to outsourcing data files?
The data controller or the customer is responsible for ensuring that the data is accurate and adheres to principle 7.
If they are outsourcing the data to a third party service provider normally regarded as the data processor as determined by the act it is vital that the customer ensures they choose:
- A service provider that can demonstrate compliance and guarantees in respect of the handling of the data files defined by the act
- Take every reasonable step to comply with those measures
- Ensure that the processing is carried out under a contract which is evident in writing
- The customer (data controller) must conduct due diligence on its service provider (data processor) to ensure that data is being processed securely
- Regular auditing of the service provider to ensure continued compliance
Under the act it is the legal responsibility of the customer (data controller) for any failure by the service provider (data processor) to comply with the data protection law.
You wouldn’t leave the house without locking the doors the same principle applies to the information you store as an organisation.