It’s important that your business looks carefully at how securely it handles personal data, as there are both legal and reputational consequences for failing to do so.
Businesses should follow these six best practice tips for handling personal data:
Carry out a risk assessment
Carry out a risk assessment to identify the areas where the data held by the business may be at risk. You’ll need to think about issues such as physical risks for example, damage to data or systems caused by fire, theft or vandalism and the potential impact of human error, such as the careless disposal of data by your staff.
Consider not only information which is held on the business premises, but also any that is taken off-site, such as on staff laptops. Don’t overlook data which is handled elsewhere by a third party, for example outsourced to a payroll administrator.
Draw up a data handling policy
Ensure that you have a written policy for staff regarding data handling, so that they are aware of the Data Protection Act 1998 and how its requirements affect their daily working practices. Staff awareness and training are key to ensuring compliance with the Act.
Your data handling policy should cover issues such as:
- which staff members have access to particular kinds of information;
- whether that information is password-protected, or in the case of physical data such as files, whether they are kept in a locked cabinet;
- whether data held on your systems is encrypted or protected by other means such as a firewall or anti-virus software; and
- the way in which data is securely disposed of.
Put in place a business continuity plan
You should put in place a business continuity or contingency plan that your staff can follow if disaster strikes and you suffer a serious loss of data. This should be reviewed and updated on a regular basis to ensure that it remains adequate to meet the changing requirements of the business and its operations, and the evolving risks to which it is exposed.
The contingency plan should identify the business functions and assets (including personal information) that would need to be maintained in the event of a disaster, and set out the procedures for protecting and restoring them if necessary.
The British Standards Institute has published a standard on information security, which is a useful source of information on good practice for data security, although it’s not in itself a legal requirement.
This is called the BS ISO/IEC 27001 standard and you can obtain it here. It offers a business-led approach to best security practice and provides a framework to implement and maintain effective security within a business.
The Information Commissioner’s Office (ICO) has also published guidance on good practice in relation to data security, and a note on encryption which you can find on their website.
In relation to encryption, the ICO recommends that any portable and mobile devices including magnetic media, which are used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.
Monitor external data processors
The Act requires businesses or “data controllers” to ensure that there are adequate safeguards in place regarding any processing that is carried out on their behalf by external, third party, data processors – for example, outsourced functions such as HR administration.
As a business you should take care when selecting a third party processor. Choose a data processor which provides sufficient guarantees with regard to its technical and organisational security measures; take reasonable steps to ensure that the data processor complies with these measures; and ensure that the processing takes place under a written contract which stipulates that the processor will act only on your instructions, and that they will have security measures in place that ensure compliance with the seventh data protection principle and the act generally.
Review your security arrangements
You must notify the ICO if you process personal data of any kind, unless you are exempt from doing so. Failure to notify is a criminal offence.
When completing a notification form, you will be asked to give a general description of the measures you are taking to protect the personal information the business deals with. Use this as an opportunity to review the adequacy of the safeguards you have in place and consider whether more needs to be done in order to comply with your obligations under the Act.
Peter Harthan is a solicitor at Riverview Solicitors, the fixed price legal business.