Data controllers beware – from 6 April 2010, the Information Commissioner’s Office (ICO), the body responsible for enforcing data protection regulation in the UK, will enjoy new powers to fine data controller organisations that commit a serious data breach. For a housing provider or other organisation to be fined:
It will need to have committed a serious breach of data protection law, i.e. the Data Protection Act 1998 (the “Act”);
That breach must be likely to cause substantial loss or distress;
The breach must have been deliberate or negligent, i.e. reasonable steps were not taken to prevent that breach.
The maximum fine is £500,000.
As well as the monetary fine that may be imposed, it should be noted that housing providers or other suppliers that lose personal data or do not implement adequate security measures to prevent unauthorised disclosure may suffer considerable damage to their reputation, wasted management time as well as loss of trust (e.g. residents’ associations or public authorities). In addition, failure to operate and maintain adequate information security procedures may affect a provider’s competitive edge when tendering for business and funding from local authorities.
Further, where the data loss is negligent, an RSL or supplier may be liable for any foreseeable loss arising from that breach. It is important that the management team are aware of these risks and understand the implications of operating inadequate information security procedures.
Principle 7 of the Act deals with information security. In brief, a data controller is obliged to put in place technical and organisational procedures which are appropriate to the nature of the personal data concerned; the more sensitive the data (e.g. medical or financial), the greater distress or loss that may be caused as a result of its loss or unauthorised disclosure.
In February 2010, the Association for Teachers and Lecturers (ATL) suffered a loss of over 6,000 details of its union members, including sensitive personal data, from a laptop and memory stick stolen at the roadside. The laptop data was not encrypted but password protected and the memory stick was neither encrypted nor password protected. Consequently, the ATL general secretary has been required to give a formal undertaking to the ICO to ensure that:
All portable and mobile devices that store personal data are encrypted;
The ATL’s data compliance policies are to be reviewed in relation to the transfer and storage of data; and
Staff are to be made aware of policies and restricted from extracting large amounts of personal data and storing it on memory sticks.
To avoid being forced to undergo an audit from the ICO and face a fine or undertaking, housing providers and suppliers should review and carry out, ideally, both an internal and external, independent legal and technical audit to ensure that their information security procedures are sufficient.
Unfortunately, given the economic pressures on RSLs, the focus is often on investing in systems which are very efficient at collecting data, but which may not be particularly well structured to prevent unauthorised loss or disclosure. This, coupled with the ever increasing demand on RSLs to collect more information, and, in fact, more sensitive information (relating to, for example, financial circumstances and ethnicity), means that greater attention should be paid to ensure that:
All portable and mobile devices that store personal data are encrypted;
The ATL’s data compliance policies are to be reviewed in relation to the transfer and storage of data; and
Staff are to be made aware of policies and restricted from extracting large amounts of personal data and storing it on memory sticks.
To avoid being forced to undergo an audit from the ICO and face a fine or undertaking, housing providers and suppliers should review and carry out, ideally, both an internal and external, independent legal and technical audit to ensure that their information security procedures are sufficient.
Unfortunately, given the economic pressures on RSLs, the focus is often on investing in systems which are very efficient at collecting data, but which may not be particularly well structured to prevent unauthorised loss or disclosure. This, coupled with the ever increasing demand on RSLs to collect more information, and, in fact, more sensitive information (relating to, for example, financial circumstances and ethnicity), means that greater attention should be paid to ensure that:
Technical systems are operated to prevent loss or disclosure (e.g. by means of implementing restricted user access for downloading data);
Adequate policies and procedures are put in place;
Staff are trained in information security compliance;
Such systems and procedures are implemented and maintained day-to-day when handling personal data; and
A robust audit trail is documented to demonstrate to an auditor or the ICO that such procedures are being followed.
If a data breach does occur, the ICO has stated that an organisation’s failure to report the breach may mean that the organisation concerned may suffer tougher sanctions than if it had reported the breach. Any housing provider or supplier that becomes aware of a data breach should therefore consider carefully the risks of failing to notify the breach. At the same time, steps should be taken to rectify any failings in the information security systems operated by that RSL.
The need to keep personal data secure remains as important as it always has been. The change which will become more evident, especially from April this year, is that the privacy regulator entrusted with enforcement now has teeth. The risk that this presents in the context of tenants’ data should be a real concern.
There may be increased pressure on those working both within and with RSLs to supplement their income by attempting to extract and exploit the personal data of those appearing on tenant databases in order to sell this data on to third parties (e.g. loan providers). These databases may contain not only financial and medical data, but also data relating to ASBOs, sexuality, socio-economic standing and behavioural risk assessment. At the same time, management will be debating where to invest reduced funding within its organisation.
It is suggested that those considering investing in improved information security compliance are likely to reap significant returns in limiting risk and financial exposure by conducting a legal and technical review of their data compliance technical infrastructure policies and procedures.
Philip James is senior associate for media, brands and technology at Lewis Silkin LLP.
