Keep yourself up to date. Sign up for our e-newsletter:

All fields required







Managing the risks inherent in handling personal data

What are the risks and how do they arise?

The root causes of information handling problems are:

Unfair obtaining/disclosure – the result of malicious acts such as hacking into the TK Maxx customer records, "blagging" or using deceit to obtain information to which you are not entitled as (it is reported by the Information Commissioner’s Office) some Private Investigators and journalists do. In May 2007 Cable & Wireless in the US served an injunction on a former executive employee related to the theft of a customer database. The customers were being targeted by credit card fraudsters based in Pakistan.

Accidental/negligent disclosure - not malicious but due to organisational failings and individual indifference such as faxes sent to incorrect telephone numbers, customer information left accessible in rubbish bins or lost in the street as per confidential patient care records found on a roundabout in Dorset or confidential documents containing information about adults with learning difficulties found in a Lincoln Street near a Social Education Centre. Internal disclosures such as leaving "orphan" documents on shared printers, incoming faxes left on the machine for anyone in the office to read.

Accidental loss – for example lost or stolen laptops, this has happened to a number of organisations including M&S and the Eden Project. Using the ordinary postal service to send unencrypted personal data on cd-rom which goes missing as per HMRC in November 2007 and HSBC Bank in March 2008. Data lost accidentally due to computer failure with no or inadequate back up, for example in July 2007 Newcastle city Council admitted that thousands of credit and debit card transaction details were placed on an insecure server in error and accessed by overseas computers.

Inaccuracy – bank statements sent to the wrong address or wrong addressee as reported in the press from time to time, inaccurate credit indicators showing loans as still outstanding when they have been repaid as reported in the Information Commissioner’s Annual Reports, mis-filed employee references or appraisals or disciplinary notices.

Incomplete records – inaccurate credit indicator showing a loan as outstanding when it has been repaid, showing two individuals as financially linked when they are divorced, failing to flag someone as having opted out of receiving direct mailings

Excessive records – CCTV cameras mis-aligned so that they record street scene activity instead of vulnerable doorways or windows,

Obsolete records – old addresses.

Failure to process fairly and in accordance with subject rights – for example in June 2007 The Information Commissioner announced that mobile phone operator, Orange, was in breach of the Data Protection Act in the way it processed customer personal information because new members of staff were allowed to share user names and passwords when using the customer information system. In the same month the ICO found that home shopping company, Littlewoods, had failed to observe its customers' right to require them to cease using their personal data for direct marketing purposes.

 

Who is at risk when personal data is mismanaged?

Traditionally the approach is to consider the risk to the company, its officers and employees. The risks include:

Committing a criminal offence – it is an offence to unlawfully obtain or disclose personal data. Likewise it is an offence for the company not to be registered for data protection if its activities require registration. It is an offence to make an employee use his right of subject access to find out if he or she has a criminal record.

Potentially a gaol sentence – there are provisions in Criminal Justice and Immigration Bill for offences of unlawful obtaining and disclosure to be punishable by a prison term. If a Police Officer unlawfully discloses personal data knowing or reckless as to the physical harm that may result from that disclosure, he will face a custodial sentence.

Financial – fines for companies, directors and individual employees, not just in the courts. In January 2007 the Financial Services Authority fined Nationwide Building Society £980,000 for data protection breaches.

Reputational – 11 banks, building societies and the Post Office were "named and shamed" on the ICO website by the Information Commissioner’s Office in 2006.

Professional – representatives of the 11 banks, building societies and the Post Office were required to sign undertakings that the data protection breaches would not be repeated. The Chief Operating Officer at HMRC resigned over the loss of child benefit claimants records in November 2007.

Demoralised colleagues – staff become demoralised to read about data security scandals affecting their employer. The stigma attaches to those who work at the business as well as to the business itself.

Customer dissatisfaction – minor complaints are more likely to be escalated as customers perceive them as another area where the business has failed to perform. It feeds their dissatisfaction and makes them harder to please.

Deterioration in relationship with regulators – it gives notice to regulators that the senior management are not on top of issues within the organisation.

Risk to individual data subjects

This is an area many businesses do not consider when carrying out risk assessments, the effect on individual customers and clients.

Financial – identity theft is prevalent, fraudsters recognise the value of personal data and it is increasingly dangerous to individuals when their personal data is lost or stolen.

Loss of privacy – ranging from potential social stigma for some categories of data subject, for example ex-convicts, bankrupts, AIDS sufferers and so on, to personal harm where for example disclosure of the current address of people under protection such as abused wives or witnesses.

Emotional stress – arising from unwarranted and unwanted publicity, the hassle involved trying to "set the record straight", worry about the likelihood of personal harm or financial loss.

Reputation – mistaken identity, unwanted publicity affecting professional life and career. The Information Commissioner’s Annual Reports detail examples such as the CRB incorrectly recording an offence of driving while under the influence of alcohol against an individual who proved in court that someone else had used his driving licence.

Creditworthiness – unfair rejection, missed opportunities.

 

Strategy for reducing or avoiding risk

What is data protection for? It aims to control or change the way in which organisations handle personal data. Such changes can only be implemented from the top down. Senior management must take ownership of the issue of data protection risks and take responsibility for implementing changes to reduce or avoid those risks.

Deloitte 2007 Global Security Survey (the shifting security paradigm) Deloittes say: Even though information security incidents are grabbing the headlines, execs and directors do not own the problems. Research shows they think it is within the remit of IT. Organisations need a security strategy.

The Information Commissioner in a speech in July 2007 said:

"Business and public sector leaders must take their data protection obligations more seriously. The majority of organisations process personal information appropriately - but privacy must be given more priority in every UK boardroom. Organisations that fail to process personal information in line with the Principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers."

Dr Mark Walport, Director of the Wellcome Trust and charged by the Prime Minister, together with Richard Thomas, the Information Commissioner, to undertake a review of the framework for the use of information in the private and public sectors said in an interview:

"Many organisations tend to underestimate the significance of data protection, consigning it to the responsibility of a dedicated "data officer" or to middle management.

That’s simply not good enough, it needs to go to the board….it’s not something that should "belong" to any one individual or group of individuals, it has to be a part of the culture, with ultimate accountability and responsibility sitting with the chief executive and the board."

The elements of a strategic approach include nominating an individual or committee of the senior management team with responsibility to report to the board on data protection issues and to take responsibility for cascading the board’s decisions on data protection to the rest of the organisation. The aim should be to foster a compliance culture, where individuals recognise the organisation’s framework for data protection compliance and that they have a role to play in ensuring data security. With training on confidentiality and security risk management individual employees can be supported as accountable members of the risk reduction team. A member of staff who is aware of the risks inherent in information management can be encouraged to be accountable and can be relied upon to exercise caution in situations where there are no documented procedures. They will apply peer group pressure and encourage colleagues to be sensible.

A strategic approach should be demonstrable by the compliant culture of the organisation and its employees and by a system of control for data protection risks. This system of control should identify risks and provide a framework for reducing or avoiding those risks. The performance of the controls needs to be monitored and adjustments made as necessary. This comes down to audit or review.

 

Tactics for reducing or avoiding risks

Some specific tactics set down by law. The 8 Data Protection Principles, various industry Codes of Practice and guidance and interpretation published by the Information Commissioner.

Here are some groupings of tactics to flesh out the Principles:

Physical security – CCTV, secure business premises, adequate locked filing arrangements, secure waste or confidential waste bins, careful siting of computer terminals so they cannot be seen from the street or car park, swipe card entry to buildings or departments.

IT security – firewalls, virus controls, password protected data on a need to know basis, back up, restart facilities, secure testing environments, encryption.

PETS (Privacy Enhancing Technologies) – anonymisation, pseudonymisation, federated services like Paypal. System design that puts the individual at the heart of the programme/solution.

Procedural security – visitor sign in procedures, clean desk policy, "last out locks files" policy, laptop and home working security guidelines, hot-desking guidelines, password security policy, verifying identity before disclosing information, archive policy and procedures including deletion and destruction of information. In the HR environment checking that employees want references on leaving the company, keeping personnel files to a "model" standard.

Remember that specific procedures cover specific risks. It is impossible to cover every eventuality and to make sure that every employee, every temp or contractor has read and remembered the procedures. A compliant culture with individual employees aware of the risks and accepting accountability is the only way to cover all risks.

Factors affecting choice of tactics

Context – internal factors such as the type of data being processed and the nature of the operation, the risk profile of the business based on the severity of the consequences of the breach and the likely number of people affected.

External factors – would include the macro environment, what issues are currently in the news, which factors are government and regulators focused on, what areas are attracting attention in the industry and what constitutes best practice in the industry.

Conclusion

What is data protection for? It tries to control or change organisational behaviour into taking responsibility for information handling.

The recommended route to achieve this as we have suggested and supported by Deloitte’s findings, the ICO’s opinion, is to have an information handling strategy. To indicate that the subject of data security matters at the highest level and that the senior management is prepared to commit time and resources to implementing best practice. This will lead to a compliance culture, which will support individual employees when making choices affecting personal data in their working day.

A system of control will give senior management the overview it needs of data risk management within the organisation. It will also provide a framework for staff and regulators to demonstrate controls.

The selection of tactics to improve compliance must fit with the organisation’s operational and business needs. However tactics alone may not suffice to establish a compliant organisation. Specific procedures will apply in specific circumstances and may be too rigid to apply when circumstances change. Staff may forget the specifics of a procedure or the procedure fall into disuse. Only a compliant culture will ensure that the organisation is tuned to data protection compliance as a lasting objective.

Mandy Webster, May 2008

Go back