The 'appropriate' way to comply with Data Protection Act 1998

Although most organisations in the U.K. are legally obliged to comply with the Data Protection Act, the spate of recent data losses, many involving government departments, shows the legislation has done little to improve the way data is safeguarded. The Information Commissioner's Office (ICO), the independent gove...

RELATED CONTENT Compliance and regulations Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits Tips to achieve PCI compliance How to choose an external compliance auditor Using a privacy impact assessment template for DPA compliance PCI DSS checklist: Mistakes and problem areas to avoid The elements of a compliance-oriented architecture Wireless network guidelines for PCI DSS compliance PCI DSS requirement: Implement strong access control procedures How to choose full disk encryption for laptop security, compliance Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds IT Security Frameworks and Standards How to develop a culture of security in the enterprise ICO issues draft guidelines for personal information online Using a privacy impact assessment template for DPA compliance Benefits of ISO 27001 and ISO 27002 certification for your enterprise How to write an information security policy The elements of a compliance-oriented architecture New products aim to streamline compliance efforts A helpful BSI data protection standard for DPA compliance How project management maturity models can reveal security strength Consider a compliance-driven security framework

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

rnment authority charged with enforcing compliance with the act, has failed to establish respect for the regulation and create a culture of data security throughout U.K. businesses and government. The ICO's soft approach, combined with a lack of funds and resources to pursue offenders through the courts, has served to weaken the DPA. Early this year, for example, the European Commission intervened over what it saw as a failure of the ICO to punish British Telecommunications Group plc for the way it secretly intercepted and analysed users' click-stream data to serve them targeted advertising.

Prompted by the ever-increasing amounts of public data being handled, however, and the recent embarrassing rash of data loss incidents, this situation is starting to change. To give the act more bite, a breach of any of the DPA's eight data protection principles is now a criminal offence. Also, the ICO has been given new powers to carry out compliance spot checks and to fine offenders. The office has even issued enforcement notices to the Ministry of Defence and HM Revenue & Customs, requiring them to follow recommendations made following various reviews of their data-handling processes.

DPA compliance and the meaning of "appropriate"
So what can be done to ensure that your organisation is meeting the principle of data security? Well "appropriate" and "adequate" security measures include both technical and organisational measures, and it is the latter where most organisations fall short. Organisational measures include such controls as security policies, accountability for the ownership of data, as well as staff security awareness training. Reviewing the recent incidents of lost data, it is apparent that these measures are sadly lacking in public and private organisations alike.

When was the last time you reviewed your security policy? Does it take into account the use of removable media, such as USB thumb drives, or mobile users' PDAs, laptops and smartphones? Your security policies must be kept current and made accessible and detailed enough so that employees know how to handle data.

Staff must also be made aware of their roles and responsibilities when handling data, and that the security policies will be rigorously enforced. An effective way of putting policies into effect is to write these responsibilities into people's job descriptions.

To see what actions government is taking to improve its data security, read the Cabinet Office's report on Data Handling Procedures in Government, and the recommendations made by Kieran Poynter, Chairman of PricewaterhouseCoopers, in his review of information security at HM Revenue and Customs. Both of these reports provide guidance on what steps need to be taken to ensure data within an organisation is valued and protected.

The DPA has many ambiguities, but the ICO is approachable. So if you have any doubts as to whether aspects of the act apply to your organisation or whether your security measures are appropriate, it is best to speak with them directly.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.