One may recall the series of articles that have hit daily newspapers headlines and privacy web pages in the UK reporting serious data security breaches. The UK’s Information Commissioner must have consumed additional calories in investigating all such complaints which have landed on his desk in a short span of time. The insurmountable media pressure, certainly, was not on his side.

A few cases to jog our memory on the subject include the loss of the entire database of child benefit recipients maintained by Her Majesty’s Revenue and Customs Department and the loss of confidential data concerning more than 15,000 people which was intended to be sent, by the same department, to the Standards Life Pensions department in Edinburgh. These bold security blunders have a common denominator: the loss of a secondary storage device, on which personal information was retained, while in transit. To the dismay of everyone, such information was password protected but not encrypted, thus making it liable for easy retrieval by third parties.

The Data Protection Act lays down a generic provision on data security and stipulates that a data controller shall implement appropriate technical and organisational measures to protect the personal data that is processed against accidental destruction or loss or unlawful forms of processing, thereby providing an adequate level of security. The wording has been transposed verbatim from the European Directive. The intention of the legislator was to provide the general platform to serve as guidance for national authorities to adopt implementation measures applicable to the various sectors.

Data controllers are required to notify the Commissioner with the security measures implemented on the processing operations to ascertain that personal data is safeguarded from unauthorised access.

A common mistake in systems security is to focus on “glamorous” but low probability threats which, for instance, can come from a capable attacker who can possibly manipulate traffic and may succeed in logging on to systems by password sniffing and address spoofing techniques. It’s useless implementing the most advanced security infrastructure and not advocating the very basic and natural safeguards required to plug a trivial security hole.

Privacy enhancing technologies (PET) are one of the effective solutions promulgated by the data protection authorities. These are tools which address privacy matters by preventing the unnecessary processing of personal data and ensuring adequate security safeguards. Such technologies seek to inherently build technical solutions to ensure privacy. The European Commission considers that PETs should be developed and more widely used.

Practical examples of these privacy technologies include access rights and restrictions, full audit trail including the recording of any action performed on a system, encryption mechanisms, degree of anonymity by making use of pseudonyms, data minimisation, segregation of data which leads to non-linkability and automatic deletion of personal data.

Additional to the foregoing, in particular access rights and restrictions, the internal structure of any organisation should also cater for the practice that employees should solely gain access to information by justifying a legitimate business requirement. Confidentiality agreements and, where applicable, oaths of secrecy are additional safeguards which data controllers may adopt to bind their employees with.

Data controllers are also encouraged to formulate security policies requiring high-level security behaviour to be strictly adhered to by staff members. It is essential to ensure that such policies are enforced by mechanisms that are strong in terms of compliance. Methodologies and risk assessment strategies exist to ascertain completeness of security policies and ensure that they are completely enforced.

The introduction of a European data breach notification requirement for the electronic communication sector, incorporated in the review of the ePrivacy Directive, is a recent important development. It bears a potential to increase the level of data security in Europe and foster reassurance amongst citizens on how their personal data is being secured and protected by electronic communication sector operators. This new requirement shall be transposed into the local legal statute under the Data Protection Act, amending existing regulations, in the forthcoming months.

The security chain should be seen in a holistic manner because the lack of proper attention to one link can lead to the collapse of the whole system. The human element is normally considered as being the weakest link in the security chain and in this respect data controllers should address this facet of internal processes to the best of their technical and organisational abilities.

Mr Deguara is the head of the technical unit in the Office of the Data Protection Commissioner.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.