In this issue look at the important issue of personal information and data security
The Data Protection Act 1998 (DPA) has been described by the courts as “a cumbersome and inelegant piece of legislation”. However, its importance is undeniable. Richard Thomas, the Information Commissioner has even gone so far as to say that “data protection law stands in the way of a surveillance society where government and commercial bodies know everything about everybody”.
Data protection seems to have been in the news a lot recently. Why is that?
Data protection law is not often headline news. However, recent high profile losses of personal data and potential breaches of the Data Protection Act have changed that. HM Revenue and Customs admitted to losing two discs containing the names, addresses, dates of birth, National Insurance numbers and bank account details of some 25 million people. This was the UK’s largest ever personal data security loss. In the wake of this, Richard Thomas, who heads the Information Commissioner’s Office (ICO), which enforces the Data Protection Act, called for sweeping changes: “This incident and its aftermath mark a turning point for data protection in the UK. Safeguarding large amounts of personal information − valuable assets for any organisation − has to be taken seriously from the top… the onus is on every organisation − and every leader within that body − to ensure there are clear lines of accountability to stop things from going badly wrong.”
What are my obligations as an education professional in terms of maintaining the security of information?
The Act requires that schools take “… appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
What proposed changes to data protection law have been made?
In the wake of recent breaches of the Data Protection Act, the Government has signalled its intention to bow to Richard Thomas’ requests to increase the powers of the ICO. Proposals include criminal sanctions against individuals who “knowingly or recklessly” breach the data protection principles enshrined in the Act. Offenders could be fined up to £5,000 in a magistrates’ court or unlimited sums in the Crown Court.
Would that be a significant change in the law?
Yes, the proposed new laws mark a significant change in policy by the ICO. Until now, the ICO has sought to enforce the Act against “data controllers” − the organisations that have ultimate control over the personal information of data subjects. If the proposed laws are enacted, there will be an increased chance that employees who fail to properly understand the obligations imposed by the Act and commit a fundamental breach of it will be prosecuted. This would include teachers.
Presumably I need to be particularly careful about the use of laptops?
Very much so. The proposed changes in the law also follow a number of thefts of patient data held on laptops stored in the cars of NHS doctors. Richard Thomas has commented that “if a doctor or hospital employee leaves a laptop containing patients’ records in his car and it is stolen, it is hard to see that is anything but gross negligence.” Pupil information held by teachers on laptops and other portable devices needs to be held as securely as possible to protect this potentially vulnerable group and is likely to attract the same level of regulation as patient data.
What specific steps do I need to take in respect of the use of ICT?
Given the nature of electronic storage devices like laptops and memory sticks, it is never possible to eradicate the risk of loss or theft. However, all schools should have policies in place to ensure that such loss or theft does not compromise pupil and other personal information. Ideally, such policies should include a clear notice that laptops containing personal information should not be left in cars even if those cars are locked. Richard Thomas has specifically stated that anyone (whether employee or data controller) holding personal information should know the basics of encryption to protect such information. Clearly schools will need to review whether such knowledge exists amongst teachers and, if it doesn’t, put in place training and, if necessary, invest in the relevant software to enable encryption.
What other new powers is the ICO seeking?
In addition to increasing the criminal sanctions when things go wrong, the ICO is requesting the right to be able to conduct “dawn raids” on the premises of data controllers (including schools) so that it can take a proper “snapshot” of the compliance by the relevant organisation with the Act and the data protection principles under it.
Given this, what particular steps should my school be taking to secure data security?
Schools should: ensure that there are policies on taking pupil and staff personal information off-site and the use of mobile computing and memory sticks, etc; ensure that these policies are properly communicated to employees and enforced; invest time in ensuring that your business implements British Standard 7799 on Information Security Management (available from the British Standards Institution). Schools should also consider investing in a data protection audit. Browne Jacobson’s DPA audit service is concerned with both the data files held by schools and the mechanisms in the school to ensure that the DPA and its principles are observed at all times. As a result of subjecting itself to such an audit, which is completed by way of a questionnaire and an on-site investigation, a school will know whether personal data about pupils, staff and other third parties is fully compliant with the Act, whether it has in place mechanisms to reinforce compliance and whether those mechanisms are likely to be sufficient to secure continuing compliance.
Simon White can be contacted on 0115 9766532 or emailed at firstname.lastname@example.org
This e-bulletin issue was first published in January 2008
About the author: Simon White is author of this week’s issue. He is an associate solicitor with the firm having joined in 1999. He is based at the firm’s Nottingham offices where he specialises in commercial contracts, data protection and freedom of information.