The 'appropriate' way to comply with Data Protection Act 1998

Although most organisations in the U.K. are legally obliged to comply with the Data Protection Act, the spate of recent data losses, many involving government departments, shows the legislation has done little to improve the way data is safeguarded. The Information Commissioner's Office (ICO), the independent government authority charged with enforcing compliance with the act, has failed to establish respect for the regulation and create a culture of data security throughout U.K. businesses and government. The ICO's soft approach, combined with a lack of funds and resources to pursue offenders through the courts, has served to weaken the DPA. Early this year, for example, the European Commission intervened over what it saw as a failure of the ICO to punish British Telecommunications Group plc for the way it secretly intercepted and analysed users' click-stream data to serve them targeted advertising.

Prompted by the ever-increasing amounts of public data being handled, however, and the recent embarrassing rash of data loss incidents, this situation is starting to change. To give the act more bite, a breach of any of the DPA's eight data protection principles is now a criminal offence. Also, the ICO has been given new powers to carry out compliance spot checks and to fine offenders. The office has even issued enforcement notices to the Ministry of Defence and HM Revenue & Customs, requiring them to follow recommendations mad

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and regulations Basel II risk management and implementation guide Meet Basel II operational risk, compliance requirements with BS 25777 How to achieve PCI DSS compliance in a midmarket business Preparing enterprise Wi-Fi networks for PCI compliance PCI compensating controls: Loopholes or lifesavers? A preview of PCI virtualization specifications Information security forecast: Security management in 2009 The power of the ICO: Liabilities for a data security breach Data breach notification: A legal requirement? Using ISO 27000 to comply with Data Protection Act principles Compliance Regulation and Standard Requirements USB drive security project protects endpoints, aids CoCo compliance Cybercrime attacks, IT outsourcing, mobile malware top ISF threat list The basics of enterprise GRC project management SearchSecurity.co.uk partners with PCI DSS User Group Council boosts compliance efforts with system log management app PCI DSS Q&A: Answering your questions Security budgets take hit in media, tech industry, survey finds Forrester advises cautious approach to cloud computing services NHS imposes USB stick security IAS 6 aims to lock down data from government departments, suppliers IT Security Frameworks and Standards CSA, Jericho Forum unite on cloud computing security message When IT security costs are cut, which security product is a must? What considerations should be made when outsourcing IT infrastructure? How to apply government data classification standards to your company Basel II risk management and implementation guide Meet Basel II operational risk, compliance requirements with BS 25777 Q&A: Google to defend cloud computing security CISSP Essentials training: Domain 4, Security Models and Architecture CISSP Essentials training: Domain 8, Law, Investigations and Ethics Firm Basel II risk management requirements needed now more than ever

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

e following various reviews of their data-handling processes.

DPA compliance and the meaning of "appropriate"
So what can be done to ensure that your organisation is meeting the principle of data security? Well "appropriate" and "adequate" security measures include both technical and organisational measures, and it is the latter where most organisations fall short. Organisational measures include such controls as security policies, accountability for the ownership of data, as well as staff security awareness training. Reviewing the recent incidents of lost data, it is apparent that these measures are sadly lacking in public and private organisations alike.

When was the last time you reviewed your security policy? Does it take into account the use of removable media, such as USB thumb drives, or mobile users' PDAs, laptops and smartphones? Your security policies must be kept current and made accessible and detailed enough so that employees know how to handle data.

Staff must also be made aware of their roles and responsibilities when handling data, and that the security policies will be rigorously enforced. An effective way of putting policies into effect is to write these responsibilities into people's job descriptions.

To see what actions government is taking to improve its data security, read the Cabinet Office's report on Data Handling Procedures in Government, and the recommendations made by Kieran Poynter, Chairman of PricewaterhouseCoopers, in his review of information security at HM Revenue and Customs. Both of these reports provide guidance on what steps need to be taken to ensure data within an organisation is valued and protected.

The DPA has many ambiguities, but the ICO is approachable. So if you have any doubts as to whether aspects of the act apply to your organisation or whether your security measures are appropriate, it is best to speak with them directly.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.