Why breaking data protection law is easier than you think
The Data Protection Act covers many different types of record, both paper and digital. As recently released ICO figures show, many organisations are finding it a challenge to comply with the legislation.
Are you aware of your obligations under the Data Protection Act? If not, your business could be breaking the law without being aware of it, risking legal sanction, fines and long-lasting reputational damage.
The key part of the regulation is Principle 7, which covers data security. It states that ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’ Essentially, that means that you must do what you can to stop personal data being lost or falling into the wrong hands.
The Information Commissioner’s Office (ICO), which oversees UK organisations’ compliance with the regulations, recently released its facts and figures on data breaches during 2016. There were a total of 2168 breaches over the whole of the year. In sector terms, healthcare suffered the largest number of breaches, with 40% of the total, followed by local government and general business with 10% and 9% respectively. Media, marketing, utilities, religious and political organisations had the best record.
The various types of breach reported by the ICO illustrate the many different routes by which data can leak out of your organisation. A simple, thoughtless action like clicking ‘send’ or leaving a laptop unattended can easily lead to a breach.
And while it’s easy to imagine that ‘data’ only refers to digital records, in fact paper records can be just as important, and just as hard to control. After all, once data is printed on a sheet of paper, that sheet can go anywhere, with anyone, potentially carrying confidential information into the wrong hands.
For example, 42% (986) of breaches in 2016 (across all sectors) were caused by the improper handling or disposal of paperwork. Within this category, the most numerous incidents were data being posted or faxed to the incorrect recipient (37%) or the loss or theft of paperwork (34%) respectively. Other breaches were due to errors such as data being left in an insecure location, insecure disposal and failing to redact sensitive data before sharing a document.
No fewer than 76 data breaches occurred where the sender failed to use BCC when sending email to multiple recipients, resulting in the full list being disclosed. And these are only the incidents that the ICO are aware of – this is believed to be a common workplace error. Other computer-related problems arose from phishing (obtaining data online through deception), exfiltration (unauthorised data access) and misconfiguration of cyber security (such as publishing data online by mistake, or leaving default passwords in place).
Even careless conversations can constitute a data breach: there were 40 instances of verbal disclosure throughout 2016.
These examples show how important it is for staff to know and understand data protection law and how it affects their everyday work. The necessary actions include everything from taking basic care over user information to establishing good procedures for keeping paper records physically secure, particularly when away from the office. Staff may also need some IT training – including full competence with the essential business applications we all use every day, and good security practices such as choosing strong passwords.
At Shred Station, we can help with the secure disposal of paper records that are no longer required, as well as computer equipment that needs to be destroyed at the end of its life. We can carry out secure shredding of confidential waste at your own premises or on our own site, and provide a certificate of destruction that confirms all your data has been securely destroyed. You can read more details at our services pages.
- Read our guidance article for more advice on how to safeguard confidential data.
- The source for all statistics quoted in this article is the Information Commissioner’s Office.