
It’s important that your business looks carefully at how securely it handles personal data, as there are both legal and reputational consequences for failing to do so.
Businesses should follow these six best practice tips for handling personal data:Carry out a risk assessment
Carry out a risk assessment to identify the areas where the data held by the business may be at risk. You’ll need to think about issues such as physical risks – for example, damage to data or systems caused by fire, theft or vandalism – and the potential impact of human error, such as the careless disposal of data by your staff. Consider not only information which is held on the business premises, but also any that is taken off-site, such as on staff laptops. Don’t overlook data which is handled elsewhere by a third party, for example outsourced to a payroll administrator.Draw up a data handling policy
Ensure that you have a written policy for staff regarding data handling, so that they are aware of the Data Protection Act 1998 and how its requirements affect their daily working practices. Staff awareness and training are key to ensuring compliance with the Act. Your data handling policy should cover issues such as:- which staff members have access to particular kinds of information;
- whether that information is password-protected, or in the case of physical data such as files, whether they are kept in a locked cabinet;
- whether data held on your systems is encrypted or protected by other means such as a firewall or anti-virus software; and
- the way in which data is securely disposed of.
Put in place a business continuity plan
Keep up-to-date
The British Standards Institute has published a standard on information security, which is a useful source of information on good practice for data security, although it’s not in itself a legal requirement. This is called the BS ISO/IEC 27001 standard and you can obtain it here. It offers a business-led approach to best security practice and provides a framework to implement and maintain effective security within a business. The Information Commissioner’s Office (ICO) has also published guidance on good practice in relation to data security, and a note on encryption which you can find on their website. In relation to encryption, the ICO recommends that any portable and mobile devices including magnetic media, which are used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.Monitor external data processors
Review your security arrangements
You must notify the ICO if you process personal data of any kind, unless you are exempt from doing so. Failure to notify is a criminal offence. When completing a notification form, you will be asked to give a general description of the measures you are taking to protect the personal information the business deals with. Use this as an opportunity to review the adequacy of the safeguards you have in place and consider whether more needs to be done in order to comply with your obligations under the Act. Peter Harthan is a solicitor at Riverview Solicitors, the fixed price legal business. Picture sourceShare this story