ICT Management. > Legal Issues

Paul Ticher's Data Protection Update - November 2011

By Paul Ticher

Our data protection correspondent Paul Ticher updates on recent breaches of security, the website cookie law, data processors, payment card security and third-party staff.

Update on security breaches

There is no let-up in the stream of organisations being fined – sometimes quite hefty amounts – for having confidential data go missing, usually on stolen laptops that were not encrypted.

The only good news is that organisations, and in one case an individual, seem to be treated more leniently if they don’t have the resources.  Two charities were let off without fines, but they did have to sign undertakings to put their houses in order.  It’s also worth noting that both of them owned up to the Information Commissioner about the theft of their laptops, of their own accord.

The individual was fined £1,000 because he had used a consumer web host, which did not provide adequate security guarantees, to host sensitive data and it got hacked into with the loss of 6,000 records.  Had he been an organisation, the fine would have been £200,000.

Don’t let it happen to you.  Laptops must be protected by encryption, not just passwords, if they hold any personal data.

And think about how you would respond to a breach.  Do you have a policy on reporting breaches to the Commissioner?  If not, who would make the decision?

Cookie law

The new cookie law means that, in most cases, website users should only get cookies they have agreed to receive (see this Wikipedia article for more on cookies).  Although this theoretically came into force in May 2011, website owners have a year to get their sites in order.  See the latest guidance (pdf, 564Kb) from the Information Commissioner. We’re nearly half-way through that year; have you worked out what you need to do on your website?

Data Processor contracts

Not directly a Data Protection issue, but in August 2011 a company was allowed to end its contract with a marketing company because they sent out a cold mailing to people who had not consented to receive it.  A useful reminder to check that your contracts are precise about what you want other organisations to do with your data.

Payment card security

If you accept payments by credit or debit card, make sure that you are complying with the Payment Card Industry Data Security Standard.  This means, for example, that you must not store the three-digit security code in any way after the payment has been authorised.  A guide to the standard can be freely downloaded (pdf, 1.47Mb).

Are your staff third parties?

Something that comes up from time to time: if someone makes a Subject Access Request, can an individual member of your staff refuse consent for the release of comments they have made about that individual?

The answer is probably not, unless they made the comments in a personal capacity (for example if they were complaining about bullying by a colleague).  If they have written the comments in their official capacity, they must expect them to be disclosed.