In the past, when most organisations’ records were stored on paper files and card indexes, keeping them secure was just a case of locking the filing cabinet at the end of the working day. Nowadays, when sensitive information is routinely stored on valuable portable devices such as laptops, memory sticks, tablets, and mobile phones, as well as sent by email, information security is a different proposition.
Consider these cases:
In June 2011 the Information Commissioner (ICO) brought a case against Sheffield-based Asperger’s Children and Carers Together after an unencrypted laptop, containing personal data relating to 80 children who attended its sessions, was stolen from an employee’s home. The laptop was being used to store medication information as well as children’s names, addresses and dates of birth.
Southwark Council breached the Data Protection Act by misplacing a computer and some papers containing 7,200 peoples’ personal information which were discovered in a skip. The information included details of peoples’ names and addresses, along with other information relating to their ethnic background, medical history and any past criminal convictions. Once again the data on the computer were not encrypted.
Praxis Care Limited breached the Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information, was lost in August 2011. Some of the information was sensitive and related to individuals’ care and mental health. At the time, Christopher Graham, UK Information Commissioner, said: “Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable.”
Any organisation that holds and processes “personal data” is legally obliged to protect that information. “Personal data” is a data protection term meaning data that relate to a living individual who can be identified. An organisation may hold such data about clients, staff, volunteers, suppliers, donors, and others.
The purpose of data protection legislation is to prevent harm to those people whose data an organisation holds. Whether or not an organisation is registered with the Information Commissioner, it has legal obligations to protect its information. For guidance on the legislation, see www.ico.gov.uk
Physical loss of a memory stick or laptop need not necessarily lead to release of personal information if the data itself are protected. The most basic protection is a password on the device. A much more secure method is data encryption which can be done by either software or hardware. A hardware-encrypted memory stick costing as little as £10 will lock down and re-format after ten unsuccessful password entry attempts. Software encryption is easy to implement and comes as standard with professional versions of Microsoft Windows. Free encryption utilities are also available online. All encryption is controlled by passwords so choosing strong passwords and protecting them is also important. As a general rule, passwords should not be written down nor sent in an email or text message.
As for the physical security of portable devices, laptops can be secured with cables or indeed locked away when not in use. When travelling with a laptop or tablet containing sensitive information, there are degrees of security you can employ, for example not advertising to thieves that you are carrying a laptop by not using a laptop bag. Keep your device in view at all times and avoid putting it on the floor. Do not leave it visible in your car, lock it in the boot instead.
Data in transmission
Protecting data in transmission is also important. Unless both you and the recipient are part of a secure email system, such as those used by some government departments, you must assume your communication is insecure. The risk of interception is very small simply because of the gigantic volume of emails sent every second but, depending on their work, some organisations may consider themselves potential espionage targets. If you believe your emails may be targeted (by someone other than government security services!) you should carefully consider what the consequences may be of an unauthorised person reading your email; if the downside is too large than consider a more secure method.
However, adequate security for most people will simply be a case of double-checking who they are sending an email to, what it contains and what’s attached.
In December 2011 the ICO served a monetary penalty of £130,000 to Powys County Council for a serious breach of the Data Protection Act where the details of a child protection case were sent to the wrong recipient.
So, remember to think before you click!