In the fifth instalment of our “Europe under Review” series, we will look at current data privacy laws and best practice in the UK in relation to data security, and, briefly, the impact of the new Data Protection Regulation.
Security measures: Under UK data privacy laws, a data controller is required to implement appropriate security measures to prevent unauthorised and unlawful processing of personal data and its loss, destruction and damage. These measures must be appropriate to the personal data and harm that could result from its misuse, and include technical and organisational measures.
Employees: The data controller must ensure that employees accessing personal data are reliable.
Data processors: Finally, where a data controller engages a data processor to process personal data on its behalf, the data controller must only select a data processor who can provide an adequate level of data security, and must have a written agreement with the data processor that the data processor will act only on the data controller’s instructions and will have adequate security measures.
What does this mean in practice? As a minimum, all data controllers need to have security policies and governance in place (ideally formal documents / processes subject to regular review and audit). They should include:
(a) comprehensive IT security arrangements for fixed and portable equipment (e.g. encryption, secure deletion of personal data, locking of unattended PCs);
(b) physical security measures (e.g. premises security, locked cabinets, paper shredding);
(c) staff training (for all staff) on security measures to ensure that they are followed; and
(d) due diligence of data processors and their security measures, and written agreements with them that meet the relevant requirements.
This would also include:
(a) regular compliance audits, both internally and of data processors, to identify / rectify issues;
(b) regular reviews of security measures to ensure that they remain appropriate. A measure that is appropriate now might not be sufficient in five years time as technology develops;
(c) an incident response plan to manage, and mitigate, data security breaches / incidents; and
(d) a structured mechanism for appointing data processors to include assessment of their security measures (e.g. standard due diligence questions) and ensure that the relevant requirements for written agreements are met (e.g. a template agreement / provisions).
Position under draft Data Protection Regulation
Security measures: The requirement for appropriate security measures (now called the “integrity” principle) is replicated. A subtle change in the language reinforces the concept of “privacy by design” – measures should be built into processing activities (rather than overlaid on them).
This is supplemented with a requirement for a security policy covering certain matters. Whilst many of these are already addressed as a matter good practice in the UK, this is a more prescriptive approach than we are used to (reflecting the draft Regulation’s often “tick box” approach to compliance). Data controllers will, in due course, need to review their existing policies to ensure compliance.
Reporting data breaches: Significantly, data controllers will have to report data breaches to the ICO without undue delay (and in some circumstances tell affected individuals as well). Data controllers are also required to keep a detailed log of the breaches, their effect and the remedial steps taken. This is an additional administrative burden (particularly as there is no de minimus threshold or test for reporting to the ICO / logging breaches) and data controllers may find themselves subject to greater criticism / claims as breaches are more widely publicised.
Data processors: Data controllers must only select a data processor that has sufficient measures and procedures to ensure compliance with the Regulation and protection of the rights of data subjects (rather than just an adequate level of security), and ensure a data processor’s compliance with them (rather than take reasonable steps to do so). So the bar for selecting (and monitoring) data processors will be raised (at least on paper, as given their own obligations, many data controllers will, in practice, already ensure that their data processors have such measures and procedures).
A written agreement with a data processor will not always be required but, as the likely best way to meet the requirements of the draft Regulation, we expect them to continue to be required in practice.
Finally, additional terms must be agreed with data processors (e.g. for data processors to comply with the security policy mentioned above and only employ staff bound by a contractual or statutory duty of confidence). Whilst data controllers may already agree some of these as a matter of course, they will need to bear this in mind in future to ensure that all the required terms are agreed.
Look out for our post next week on “International Data Transfers” …