Is Data the new Health & Safety?

 

For years, decades, business owners have bemoaned the ever-increasing burden of Health & Safety legislation, not necessarily because of the need for workplace safety, but for the bureaucratic mechanisms involved, the supervision / enforcement processes, legal considerations, employee / union relations and so on.

Creeping up on the outside, un-heeded by many directors and businesses, the Data Protection legislation has been getting teeth. In April 2010 the new Information Commissioner secured power to award fines of up to £500,000 for Data Protection breaches. At the time many, perhaps most of us, ignored this development thinking that it would only be for massively extreme cases, such large fines would not be awarded in real life.

 

In November last year the first fines were issued, £100,000 to Herts County Council and £60,000 to A4E Ltd. In February this year Ealing and Hounslow Councils copped a £150,000 fine between them.  Earlier this month the Information Commissioner stated that he would have levied a £200,000 fine on ACS Law, but could not because they had ceased trading since their data was hacked, instead he imposed a £1,000 fine on the ex-director of the company, saying it was minimal because of the director’s limited means. It is widely rumoured that Sony may be the first to receieve the maximum £500,000 penalty for the Playstation Network breach.

in short, rather than six-figure fines being a fantasy reserved for extreme cases, the Information Commissioner has shown that he is prepared to levy “hard and harsh” on organisations that fall foul of data protection.

In parallel, the bar has been progressively raised, and we are expected to provide ever more stringent security over the data in our possession. In Jan 2008 the ICO issued an enforcement notice to Marks & Spencer requiring it to encrypt all laptop hard disks, following the loss of a M&S laptop containing employee data. At the time the ruling sent shock waves through IT management and suppliers - encryption was very rarely used and regarded by many as unjustifiably expensive to provide and support (I had ordered the encryption of all my company’s laptops in 2006, it was painful but possible).

The interesting point about this escalation in penalties and security expectations is that most of the penalties have been imposed upon organisations that have been victims, through stolen laptops or hacking of their servers, yet despite being victims they have been severely penalised because, in essence, the personal data they hold does not belong to them, they are merely custodians for the real data owners, the data subjects.

Holding personal data is increasingly a high-risk activity, to be considered in the boardroom alongside other risks of business. Data governance is an emerging discipline being driven by both the costs and risks of holding data. Very few of us can safely state that our organisations fully comply with, and are not at risk from, the expectations of the data Protection Act.

So, is Data Protection the new H&S? Do we need to start paying more attention in the boardroom to the way our IT dept’s work, the access our staff have to our data, our processes, procedures and systems to prevent data loss and security breaches? How does your organisation address the problem?

 

* Disclaimer: I used to be a full-time IT Director / CIO, now I own a consultancy covering, amongst other things, Data & information Governance. I’m also a Chartered Director, and I sit in the boardroom alongside my colleagues having to address the issues and risks in real life, just as I have to consider H&S, employee fraud, supplier and creditor risks etc. I ask because I want to learn more about how others handle the emerging risk and compliance issue of data.