Week after week we hear about leaks or misappropriation of personal data from large and sometimes multi-national companies. In the last few weeks where our very own MI5 is being accused of mishandling data and causing serious national security concerns, it is worth stopping to think about what is required of organisations when handling data to ensure that they do not fall foul of the law.
The most basic of requirements when considering any organisation’s data protection obligations are ensuring you are considering what data you take, what you do with it and providing a privacy notice (or policy) to the individual from whom you take the data, but where do you stand in relation to how you physically store personal data?
The Security Principle under Data Protection legislation states that you need to ensure appropriate technical and organisational measures. Measures taken must be appropriate both to your circumstances and the risk your processing poses. In practice, this means that how you store and process personal data is subjective depending on what sort of organisation you are. For example, if you are a sole trader beautician who sees individuals at their homes, then how you protect the data is going to be significantly less onerous than if you are a NHS Trust who holds and processes thousands upon thousands of names, addresses, dates of birth, sensitive data etc. One would expect the former to ensure they have a good level of virus protection on any of their electronic devices where they store data, but the latter would expect stringent security policies, extensive built in software protection, employee policies etc. We know from the media that, even with all of these things in place, large organisations are not beyond significant data breaches, sometimes simply by one individual in the organisation and it is important therefore to protect the organisation’s position by implementing data protection policies which individual staff members should comply with.
‘Privacy by Design’ is a term used by data protection legislation which applies to all organisations, no matter how large or small. Essentially, it means that any organisation needs to consider protection of data from the center of their organisation and build out from there, incorporating the protection of data throughout everything they then do. Quite often we are asked as a firm “what precisely do we need to do to ensure security for our organisation” and quite simply, every organisation is different from the other – the most important thing to bear in mind is that as an organisation you need to stop and think about what data you hold and work out what you consider based on the type of data, sensitivity of the data and amount of data being stored, what is an appropriate level of security.
A significant risk to organisations regarding security includes the misuse of data, such as data being lost, hacked, accidentally (or non-accidentally) provided to third parties. If any of these breaches lead to a risk to the individual concerned, then you are under a duty to report that breach to the ICO. With fines available of up to 20 million euros or 4% of annual turnover (whichever is the greater), the repercussions could be significant.
Don’t forget it is also essential to make sure that the public-facing data protecting requirements of your business are in order, to prevent individuals from making complaints about you. Such requirements include clear and comprehensible privacy notices and cookie notices, and ensuring that you and members of staff are aware of subject access requests requirements etc.
The Information Commissioners Office provide detailed guidance on how they expect organisations to comply, including where encryption/password protection will be appropriate, which can be found here.
If you have any questions on your data protection obligations do not hesitate to get in touch with our specialist team at WBW.
For further information, please contact Jo O’Donovan, a Solicitor in the Commercial & Employment department, on 01626 202347 or joO’Donovan@wbw.co.uk. WBW Solicitors has offices in Newton Abbot, Exeter, Torquay, Paignton, Bovey Tracey, Launceston, Honiton, Exmouth and Sidmouth.
This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.