This is one of a series of articles appearing on OUT-LAW this
week to celebrate Data
Protection Day 2008.
Anyone who thought that the HMRC disaster was a one-off could
not hold that view for long as a Ministry of Defence laptop, a
Marks & Spencer employee database and others have created an
ever-growing list of organisations suffering a loss of important or
confidential data.
The effect of this accumulation of security errors has created a
growing public worry that demands a political response, and the
expectation will be that the Government will now seek to involve
itself more closely than ever in the business of keeping our data
safe. All organisations may soon have to prove that they have
maintained the appropriate standards when they use computers.
In one sense this is an extension of a trend in other fields of
IT governance where the Government has stepped up regulation.
The millennium bug demonstrated that a functioning modern
economy was totally dependent on its computer systems, while the
collapse of multinational corporations such as Enron demonstrated
that some organisations could hide their financial problems by
using reporting systems that were not fit for purpose.
The political response to these problems was to enact
legislation that gave powers to ministers or regulators to impose
standards with respect to interoperability, governance and
resilience. In this way, Government interference in an
organisation's processing procedures has been firmly established as
a fact of life.
So it has been with data security as every week seems to bring
new revelations about poor security practice. The public now knows
that the HMRC event is not a one-off and that far too many
organisations have a relaxed attitude to basic security management.
This conclusion has jolted the political system into a regulatory
response, and as the data items of concern are details such as
names, addresses and bank account details, the main regulatory
vehicle of change will be the Data Protection Act.
Already the Government has conceded that it intends to provide
increased power to the Information Commissioner to carry out
inspections and audits, and has introduced a two-year custodial
offence where malpractice with respect to personal data can be
linked to staff malfeasance.
On the horizon is a keen debate on further legislation that
could give the Commissioner the ability to name and shame
transgressors, to order compliance with best security practice, to
punish a breach of security obligations, and a requirement that
organisations tell individuals that their personal details have
been lost. In this regard, the security standard ISO 27001/27002
will emerge as the benchmark which will be used by regulators to
judge these matters.
The onus will be on organisations to be proactive about their
information policies. They would be wise to adopt a rigorous
approach to IT security and governance that provides evidence that
they have met their regulatory obligations.
By Dr Chris Pounder
Dr Chris Pounder is the editor of the Pinsent
Masons publication Data Protection Quarterly and runs data protection
training for organisations across the UK. This
is one of a series of articles appearing this week to celebrate
Data Protection Day. Find out how to win the textbook on data
protection.
