A: Under the Data Protection Act 1998 (DPA) all businesses and organisations that hold information about individuals and determine what is done with that information (referred to as "data controllers" in the DPA) must ensure that "appropriate technical and organisational measures (are) taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Other provisions of the DPA make it clear that all UK data controllers are under an ongoing obligation to take proper account of the security solutions available on the market, to ensure a level of security appropriate to the harm that might result from security breaches. In other words, the security systems in place can be proportionate but they must be periodically reviewed to ensure that security is not being compromised due to the use of outdated technology.
If you are in any doubt about the state of your data security systems, commissioning an early security audit would be a very good call given heightened public awareness of these issues following recent media coverage.
Q: If my business is involved in a security lapse and personal data does go missing, or data confidentiality is breached, what are my legal obligations?
A: Currently the DPA does not oblige you to notify either the individuals involved or any third party, such as the body that enforces the DPA, the Information Commissioner's Office (ICO).
However the ICO is lobbying the Government hard for more powers and penalties in this area, particularly in light of the loss by HMRC of discs containing personal data. There may well be developments in this space later this year.
Your business may also decide that regardless of whether there is a legal obligation to do so, it is best practice to come clean with the victims and the ICO without delay, rather than news of the breach leaking from another source.
- Stephen Groom is head of marketing law and privacy at Osborne Clarke. Stephen.groom@osborneclarke.com
- For more of your legal questions answered go to www.brandrepublic.com/marketingdirect.