The Information Commissioner's Office (ICO) has warned businesses to ensure that the personal data they are responsible for is not left exposed to security vulnerabilities in IT infrastructure.
The warning has been issued as Microsoft brought to an end the "extended support" it offered for its Windows XP and Office 2003 products on 8 April. The Crown Commercial Service has announced that it has signed a deal with Microsoft to "maintain critical and important security updates" for the software on behalf of all public sector organisations in the UK over the next year.
"It is important to remember that this is not a unique situation," Dr Simon Rice, the ICO’s technology group manager, said. "Organisations regularly end support for their older products. And those with supported systems still need to be vigilant, as vulnerabilities will be discovered over time."
"As a responsible data controller, it is your organisation’s responsibility to make sure you have the measures in place to keep people’s details safe. Anyone using either of these two products must consider their options and ensure that personal data is not unduly placed at risk. Failure to do so will leave your organisation’s network increasingly vulnerable over time and increases the risk of a serious data breach that your actions could have prevented," he added.
Under the Data Protection Act (DPA) data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Businesses that fail to meet this standard risk being fined up to £500,000 by the ICO if there is a serious personal data breach.
The ICO confirmed to Out-Law.com that, in the case of a data breach stemming from an unsupported IT system, the length of time that that system has been left without upgrades would be a factor in determining whether and to what extent businesses would be subject to enforcement action under the DPA.
"If a data breach occurred that could have been prevented had the organisation been using a supported system then we would take this into account when deciding whether further action was required," an ICO spokesperson said. "Unsupported systems become more insecure as time passes, so we would also need to consider the length of time an organisation has been using an unsupported system and the reasons why as part of our decision making process."