Jeremy Swinfen Green, Teiss’s Head of Consulting, offers some advice on keeping this side of the data protection law and avoiding accidental data leaks.
The news that an individual employee of a company has been fined £2000 for offences under the Data Protection Act (DPA) is a useful reminder that we are all subject to data protection rules.
Admittedly the employee concerned was indulging in fairly unsavoury behaviour. However, anyone in the UK processing personal data needs to be aware of their responsibilities to treat it in accordance with the principles behind the Data Protection Act and, from May 2018, in accordance with the EU's GDPR.
Data protection principles
The data protection principles are outlined in the Data Protection Act. Follow them when you are dealing with pesonal data and you are likely to remain on the right side of the law. The principles include:
- Fair and lawful processing.
- Processing for limited purposes.
- Processing that is adequate, relevant and not excessive.
- Keeping data accurate and up to date.
- Ensuring data is not kept for longer than is necessary.
- Ensuring data is processed in line with people’s rights.
- Taking care that it is kept secure.
- Making sure it is not transferred to other countries without adequate protection.
The problem is, perhaps, that “processing” has such a wide definition. It includes collecting, storing, editing, sharing, manipulating, archiving and destroying data.
In fact pretty much anything. Once you have personal data in an electronic form (or indeed in any form that is designed to be filed in some way, i.e. not thrown away immediately) you will find yourself needing to comply with the data rules.
No one is going to expect individual non-specialist employees to be able to combat hackers. And it would be unreasonable to expect people to be able to detect and foil the attentions of confidence tricksters and other scam artists all the time.
Getting caught out in this way is highly unlikely to land you in the dock.
However, if you are negligent with personal data you are likely to find yourself in as much trouble as if you actively decide to misuse it.
Accidental data leaks
So what should people look out for? There are a number of scenarios that, if you are aware of them, it should be fairly easy to avoid. And here are eight particularly common ones:
- Emailing a group of people who haven’t given you permission to share their email addresses (an example of personal data) using the “copy” function rather than the BCC (blind copy) function. If you do this everyone can see everyone else’s addresses.
- Pressing “reply all” on an email that includes personal data about one of the recipients. “Reply all” is a bad habit anyway as it clutters up people’s inboxes. So you should only use it when absolutely necessary.
- Including the complete contents of a thread of emails, where one of the earlier emails includes personal data about an individual.
- Leaving written printed personal information on an unattended desk or in the waste bin; allowing printed information to remain on a printer; allowing it to remain within the memory of a printer that has malfunctioned.
- Leaving personal information visible on an unattended computer screen.
- Allowing people to access documents containing personal information on shared devices such as tablets or work computers that you have given colleagues access to.
- Sharing personal data orally (i.e. talking) in the hearing of others who are not authorised to have access to it.
- Storing personal information on portable devices (anything from a laptop to a USB stick) that don’t have a lock on them; ideally personal information on portable devices should be encrypted.
Of course anyone can make a mistake. But with the EU’s GDPR fast approaching, it is as well try take extra care to make sure you are treating personal data with the care that it deserves. So make sure that you know what "personal data" is. You might be surprised what it involves.
The current law in the UK defines personal data as "data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller". Importantly, it includes "any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual."
In other words names, contact details, photos and any opinions such as work references all fall under the rules. When the GDPR rules come into play, they will also cover things such as computer IP addresses and work emails.
Once you are aware of what personal data involves, it is easier to keep aware of when you handle it. And when you do handle it, make sure you are doing so in compliance with those 8 principles of data protection we mentioned earlier.
If you need to sharpen up your understanding of how to comply with data protection rules, then consider attending our full day workshop on GDPR and data privacy. It will give you the knowledge and insight you need to keep your organisation's personal data safe.
Image under licence from thinkstockphotos.co.uk copyright Toa55