The Office of the Information Commissioner (ICO) has this morning announced a third personal undertaking to be given by an individual. This follows hot on the heels of yesterday’s announcement in relation to the Oliver Letwin MP “park bins” incident.
Why is this significant?
In many instances, the data controller will be a company, body corporate or other body (for example, a public authority). However, where an individual acts as a sole trader, or trades/carries out processing in an individual capacity (for example, an MP, barrister, or an accountant trading as a sole practitioner), that individual will be the data controller.
This means that it is the individual that is responsible for the processing that he carries out (or that his employees or contractors may carry out on his behalf), and therefore that the individual is therefore also personally liable for any breach of data protection laws. Scary stuff.
What happened in the latest case?
The latest undertaking has been given by an advocate (the Scottish equivalent of a barrister), whose unencrypted laptop was stolen from her house whilst she was on holiday in September 2009.
As I noted in my blog on the Oliver Letwin incident, the Data Protection Act requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The circumstances surrounding the theft are largely academic (the advocate had tradesmen in the house whilst she was away, but it’s not clear when or how the theft took place). What is important is that the laptop, which contained details of various cases that she was working on, was not encrypted. In particular, not withstanding that the theft took place, the ICO appears to be satisfied with the physical security measures that the advocate had in place. However, the failure to put in place adequate security measures in respect of the laptop itself have led to the advocate being required to give a personal undertaking. A breach of an undertaking could lead to a fine, or an enforcement notice and ultimately prosecution.
What does the ICO require in respect of security measures?
It’s worth recounting the key parts of the undertaking in full, to re-emphasis what the ICO expects data controllers to be doing in relation to device encryption and security:
- Portable and mobile devices including laptops and other portable media used to store and transmit
personal data, the loss of which could cause damage or distress to individuals, are encrypted by 31 December 2011;
- If personal data is to be stored overnight, other than securely within the data controller’s place of work, it shall be kept in a secure, locked storage place;
- The data controller shall subscribe to any information security policies and procedures as and when they are implemented by the Faculty of Advocates or her stable [Scottish equivalent of a set of Chambers], and take all appropriate steps to comply with these at all times;
- The data controller shall implement such other security measures as she deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.
I suspect that many individuals who act as data controllers have, to date, generally taken a laxer approach to information security than bodies corporate and public bodies (where information security is a key reputational issue). This undertaking (and yesterday’s undertaking from Oliver Letwin) highlight that there is no difference in the standard that the ICO expects. In instances where individual data controllers are processing personal data (as an advocate, barrister, MP or sole trader will do), it is essential that appropriate steps are taken to ensure that data is kept secure.
On November 16, 2011