Keeping data out of the wrong hands

Google a few key words about information security and the public sector and you will find an alarming number of recent reports about the potential consequences of inadequate controls. They range from the theft of laptops containing confidential data, wholesale data losses and even the sale of a PC on e-Bay, complete with its files of medical records.
    
A common theme running through many of these reports is the lesson that information needs to be protected at every stage, and that includes the way it is disposed of. Failures of this kind are often unlawful as well as careless but prosecutions for breaches of the Data Protection Act generally take place only after the harm has been done. Good data security therefore must aim to anticipate and prevent problems before they occur.Access to data
A good starting point is to consider fundamental issues of access to data, including the physical protection of premises, training and computer security. Employees should only have access to information they need to do their jobs and they should be trained to be wary of attempts to obtain personal information. Shared passwords should not be used and information should be encrypted if its loss or theft will cause damage or distress. Anti-spyware should be considered to protect against software that can look for private information or even give someone else control of your computers. And, of course, computer equipment must never be disposed of until all the personal information has been securely removed, such as by destroying the hard disk.
    
Other effective precautions include assigning ownership of data to a named individual who is responsible for safeguarding the information and making decisions that could affect its security. Risk assessment should also be employed to ensure that protection is applied where it is most needed, along with periodic audits to check that standards are maintained. Members of staff can make a major contribution to this process by being trained to report any threats or inappropriate actions that come to light as they go about their daily tasks. Finally, it should be recognised that information failures and security breaches may occur from time to time and organisations need to be able to detect incidents reliably and initiate a prompt, appropriate response to minimise harm .

Secure disposal of data
The secure disposal of confidential data is an essential element of this work. This extends beyond physical documents to information held on computers and storage devices. Simply deleting files is not an adequate response. Today’s computer criminals are no longer the talented, mischievous teenagers portrayed in 1980s films such as War Games. Many are highly skilled computer experts who know how to manipulate systems and recover deleted information in order to steal identities, conduct fraudulent transactions and even commit blackmail. Crucially, the careless disposal of confidential data often allows them to do this without anyone knowing the information has been compromised. If that happens, it is obviously impossible to take appropriate countermeasures and the fraud is allowed to continue.
    
The volume of crime that occurs in this way is unknown, although by some estimates up to 99 per cent of fraud in the public sector goes undetected and the same may be true of offences resulting from the improper disposal of data. Almost any kind of personal information is valuable to criminals, for example, patients’ records, financial reports, payroll information and personnel data. The unlawful use of such information contributes to an explosion of identity theft crimes that are now estimated to cost almost £2 billion every year. Identity theft allows criminals to obtain goods, credit or services in someone else’s name. Offenders target both public and private sector providers, including the use of stolen identities to fraudulently obtain prescription medicines and state benefits.

Legal obligations
The law therefore imposes legal obligations on any organisation that processes personal information, whether about employees, customers or members of the public. The Data Protection Act essentially does two things: it tells organisations what types of information they may hold and how it must safeguarded. It does so through key principles for data protection, including the need for data to be processed in line with the rights of the individual and kept secure. The data must be accurate, updated where necessary and kept no longer than needed. These principles also include the use of effective means to prevent misuse by destroying personal information at the point of disposal.
    
Many infringements of the act relate to the way in which data is disposed of. The problem can only be overcome by treating all personal information in the same way as sensitive financial or medical records, by employing a professional information destruction service. Despite the ready availability of this common sense solution, companies and organisations continue to be prosecuted for improper disposal. Many more escape prosecution because their carelessness is never discovered. It is known that only a small fraction of corporate waste paper and data processing products such as hard drives, CDs, memory sticks and DVDs are destroyed annually by professional firms.

Everyday waste
By far the majority of such material continues to be disposed of via municipal refuse collection or waste paper reprocessing. Neither method generally involves any kind of secure handling, yet it is inevitable that much confidential data is included in this general waste and therefore a major cause of avoidable risk. It is not surprising in these circumstances that the rubbish bin is a regular source of prosecutions under the Act, just as it has long been a core element of the private detective’s trade.
    
The law sets clear rules for the destruction of personal information. It should be carried out by a company which guarantees under contract that processing (destruction) is done securely and effectively. The organisation and its chosen information destruction contractor are then jointly liable for any breaches of the Act when dealing with personal or sensitive data. Liability extends to individual managers and data controllers, who could face personal fines up to £5,000 and the prospect of a criminal record. Another possibility is civil action by a complainant, since anyone who suffers damage as a result of contraventions of the Act is entitled to compensation. Convicted organisations could also be subject to future spot checks to ensure compliance. Significantly, it is a defence to show that all reasonable care has been taken to comply and the BSIA’s Information Destruction Section was formed to enable organisations to meet their legal obligations.
    
The section’s remit is to assure good practice by operating to the BS 8470 standard for the collection, transportation and destruction of confidential material and the quality management standard ISO 9001:2000.  It defines the subject as the secure destruction of information in all its forms, including paper and computer media and hardware.  The section’s members collect confidential waste at source and provide a fully trackable service up to the point of destruction. The process consists of waste collection by secure transport, inspection, removal and destruction of rubbish, and the shredding, pulping and recycling or incineration of other material. Members of the Information Destruction Section provide free, no obligation advice to enable potential users to address their specific risks and requirements.

For more information
The British Security Industry Association (BSIA) is the professional trade association of the UK security industry. Its members produce over 70 per cent of the country’s security products and services to strict quality standards. For further information, visit www.bsia.co.uk. The BSIA operates a local rate help line, open during normal business hours on 0845 389 3889.

Please register to comment on this article