Data loss - Data defence

Recent high-profile data losses have brought the importance of data security in the workplace to the forefront for many organisations, particularly those regulated by the Financial Services Authority.

All organisations that control personal data, whether for their employees, customers or other members of the public, have a responsibility under the Data Protection Act (1998) to ensure appropriate and proportionate security for the personal data that they hold. For most organisations, reputational damage and the limited powers of enforcement of the Information Commissioner's Office are their only fears.

Those regulated by the FSA, however, are subject to tougher powers of enforcement. The watchdog can impose significant financial penalties, a power it has not been afraid to use against Norwich Union Life, which was fined £1.26m after the personal details of hundreds of customers were extracted from call-centre staff. Similarly, Nationwide Building Society was fined £980,000 following the theft of a laptop carrying 11 million customer account details.

Increasingly, data loss is due to fraud. With more and more outsourced functions, flexible working environments and greater access to information via computers, unscrupulous individuals have countless opportunities for stealing personal data, the resale of which is now big business for terrorists, money launderers and other organised crime gangs.

The FSA provides pragmatic examples of good data security practice in its report Data Security in Financial Services, which was published last year. This illustrates that good practices need be neither disproportionately expensive nor complicated to achieve.

Some examples of good practice criteria highlighted by the FSA include:

- Laptops are properly encrypted, audits of the information stored are undertaken and laptop policies are implemented and enforced.

- Employees are only permitted to download customer data on to USB devices if there is a genuine business need.

- Staff and third-party suppliers are properly vetted - especially those with access to large amounts of personal data - and access is strictly limited to information required to do their jobs.

- Strict, strong password policies are adopted and staff are prevented from sharing passwords.

- There is adequate physical security, such as intruder deterrents, use of electronic swipe cards and a clear-desk policy.

- Data is disposed of securely, for example by treating all paper that an organisation produces as confidential and producing as small a quantity of paper-based customer data as possible.

Such measures are not necessarily expensive to put in place if done so on a planned basis, yet they can be very expensive if an FSA and or ICO finding necessitates quick rectification.

With the current media attention and the data security spotlight focused on the FSA's approach to enforcement, no regulated company can afford to relax its grip on complying with data protection requirements.

- Anne Crofts, partner Rhiannon Davies, solicitor commercial services group, Beachcroft.