Safe & Secure? How not to be a data controller

In November, a barrister left some bulky files relating to a court hearing locked in her car overnight.  Her car was broken into and the files stolen.  The stolen files were not recovered and the Information Commissioner got involved, investigating whether the barrister had failed to comply with her obligations as a data controller under the UK Data Protection Act 1998. In March of this year, the barrister signed an Undertaking committing herself to comply with the Seventh Data Protection Principle which requires that appropriate measures are taken to guard against the loss or destruction of personal data.  The terms of the Undertaking make it clear that where files containing personal data are removed from the security of the office, they must be subject to appropriate security and “kept in a locked storage place”.

The worrying thing for anybody who has ever taken work home is that the guidance issued by the Information Commissioner, and indeed the terms of this particular Undertaking, do not dictate a minimum level of security.    Previous guidance notes from the Information Commissioner make it clear that the level of security required will depend upon how sensitive the personal data concerned is and how damaging or distressing its loss would be.  The more sensitive the data, the more careful you are expected to be.

In terms of physical security, the clear conclusion to be drawn from events in Bristol must be that a locked car parked on a public street overnight is not considered secure.  Especially where the information concerned is sensitive personal data.  The reference to a “locked storage place” suggests that the information needs to be stored somewhere in a building.  But it is not clear whether the Information Commissioner will go further and expect a “locked storage place” to mean a locked room or cupboard or a strong box or safe.

There is another lesson we can learn from the barrister’s experience:  possibly the best way to minimise the risk is not to take work home with you…

The full text of the Undertaking is here:

Undertaking

The ICO’s guidance is here:

ICO Good Practice Note – security of personal information

2 Comments

Filed under Intellectual Property

2 responses to “Safe & Secure? How not to be a data controller

  1. It is interesting to see the levels of fines. I have been told by a barrister friend that the fine proposed for the other barrister – the one mentioned in the posting above – was £40,000, but this fell through due to a technical deficiency in the legislation. A figure of £60,000 is mentioned above.

    When you compare these figures with the offence of causing death by health and safety deficiencies, where the fine tariff is in the region of £100,000, one wonders whether the level of fines for information offences is proportionate, particularly for a professional “sole trader”.

  2. A car is most certainly not a ‘safe’ place in which to keep private data of clients. To me, even considering that it might be is equivalent to leaving a locked briefcase of private data out on the street while you go for a long lunch – a car is emminently movable, and quite patently the definitions need to shift to put a ‘locked storage place’ under the ‘immovable property’ category.

    Of course this must remind us of the recent fine of a4e, a legal services business fined £60,000 by the ICO for allowing an unencrypted laptop out of the premises, which was then stolen.

    Here’s a question for the ICO as to the definition of what is ‘safe and secure’: what’s the physical equivalent of modern day asymmetric key encryption on a computer? Because really that’s what we should be judging people by. Answer: a huge bank safe. So, really, that barrister would never be able to reach the required standard. However, a locked filing cabinet really is at the other, far more insecure, end of that potential spectrum of physical security if judging by digital standards.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s