In recent months there have been several stories reported about data security breaches with thousands of patients’ records being lost or stolen. Information security is no longer just about technical compliance; it’s an issue of public concern. In particular, the Information Commissioners Office (ICO) is looking to fine organisations that fail to adhere to the Data Protection Act.
The Data Protection Act says: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
However, the ICO states that: “There is no ‘one size fits all’ solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances.”
Therefore to help you, we are highlighting some key areas for you to address. The following exerts on information security are taken from Principle 7 in the ICO’s “Guide to Data Protection”.
What needs to be protected by information security arrangements?
The requirements of the Data Protection Act go beyond the way information is stored or transmitted. The seventh data protection principle relates to the security of every aspect of your processing of personal data.
So the security measures you put in place should seek to ensure that:
- Only authorised people can access, alter, disclose or destroy personal data
- Those people only act within the scope of their authority, and
- If personal data is accidentally lost, altered or destroyed, it can be recovered
What kind of security measures might be appropriate?
The Data Protection Act does not define the security measures you should have in place. However, particular security requirements that apply within particular industries may impose certain standards. (e.g. the Department of Health’s ‘Good Practice Guidelines’)
Physical and technological security, and management and organisational security measures are likely to be essential.
Management and organisational measures
Carrying out an information risk assessment is an example of an organisational security measure.
Not every organisation will need a formal information security policy, however all organisations will need to be clear about related matters such as the following:
- Co-ordination between key people in the organisation
- Access to premises or equipment given to people outside the organisation
- Business continuity arrangements
Staff
It is vital that your staff understand the importance of protecting personal data; that they are familiar with your organisation’s security policy, and that they put its security procedures into practice.
Physical security
Physical security includes things like the quality of the doors and locks, and whether premises are protected by alarms, security lighting or CCTV. It also includes how you control access to premises, supervise visitors, dispose of paper waste, and keep portable equipment secure.
Computer security
Your computer security needs to be appropriate to the size and use of your organisation’s systems and your security measures must be appropriate to your business practices. For example, if you have staff who work from home, you should put measures in place to ensure that this does not compromise security.
Computer security is constantly evolving, and is a complex technical area. Depending on how sophisticated your systems are and the technical expertise of your staff, you may need specialist information security advice.
If you have any questions relating to security in your practice, one of our security consultants will be happy to assist you. Please call 01865 887 428.
Alternatively, to read the guide in full, please click here