Members of the British Security Industry Association’s (BSIA) Information Destruction Section are warning organisations from all sectors to ensure that they comply with the Data Protection Act. This follows on from the news that Greater Manchester Police (GMP) has been fined £150,000 by the Information Commissioner’s Office (ICO) for a breach of the Act after three DVDs containing footage of interviews with victims of violent or sexual crimes were lost in the post.
The force sent the unencrypted DVDs to the Serious Crime Analysis Section (SCAS) of the National Crime Agency by recorded delivery, but they were never received. The DVDs, which showed named victims talking openly, have never been found.
An investigation conducted by the ICO found that GMP failed to keep highly sensitive personal information in its care secure and didn’t have appropriate measures in place in order to guard against accidental loss. This constitutes a breach of data protection law.
The ICO’s investigation discovered that GMP had been sending unencrypted DVDs by recorded delivery to the SCAS since 2009 and only stopped doing so after the security breach in 2015.
The ICO previously fined GMP £150,000 in 2012 after an unencrypted USB stick was stolen.
Data Protection Act 1998
The Data Protection Act 1998 is an Act of Parliament which controls how personal information is used by organisations, businesses or the Government. It’s enforced by the ICO. The ICO has been granted a number of powers to enforce the Act including non-criminal enforcement and audit, the ability to levy monetary penalties up to £500,000 and even to pursue criminal prosecution.
Businesses run the risk of significantly damaging their reputation by failing to comply with the Act. To fully comply with the Data Protection Act, businesses should ensure that they follow the eight data protection principles.
Under the Seventh Principle of the Data Protection Act, businesses are obliged to take appropriate measures against the accidental loss/destruction of (or damage to) personal data and against any unauthorised or unlawful processing of data.
Don Robins, chairman of the BSIA’s Information Destruction Section, commented: “Businesses need to safeguard the individuals about whom they hold data by ensuring that documents are shredded by a reputable data destruction company when they’re no longer required. The same degree of caution must also be taken with computer or laptop hard drives and any other items which could be used to identify or impersonate individuals.”
To ensure that confidential data is disposed of securely, businesses should insist on a written contract with a company capable of handling confidential waste. The service provider must give a guarantee that all aspects of data collection and destruction are carried out in a secure and compliant manner.
To ensure this is the case, service providers should comply with European Standard BS EN 15713:2009 for security shredding and also BS 7858 which is focused on staff vetting.
Data controllers wishing to securely dispose of confidential material may consult a member company within the BSIA’s Information Destruction Section which consists of companies that securely destroy a range of confidential information including paper, DVDs and computer hard drives.
All Information Destruction Section members work to the European Standard for the secure destruction of confidential material (the aforementioned BS EN 15713:2009) as part of their ISO 9001 inspection regime.
*For more information or to source a supplier of information destruction services visit www.bsia.co.uk/sections/information-destruction
Free event to help Scottish businesses strengthen cyber security
Helping businesses to navigate the complex world of cyber security is the aim of a new event taking place in Scotland on Friday 2 June. Organised by the BSIA in partnership with the Scottish Business Resilience Centre (SBRC) and running at Tulliallan Police College in Kincardine, the seminar is free to attend and includes presentations from a wide range of cyber security experts as well as a fascinating demonstration from an ‘ethical hacker’, who will highlight the surprising vulnerabilities in the systems and technology we use every day.
On the day, Keith McDevitt (cyber security integrator at the Scottish Government) will be making a detailed presentation alongside the SBRC’s Graham Bye.
Guidance will also be given on the new EU General Data Protection Regulation (GDPR), with which all businesses must be fully compliant by May 2018. Advice for SMEs on preparing for the impact of the GDPR will be covered in a presentation to be given by Federico Charosky of Quorum Cyber, while Ian Kerr of event sponsor ID Cyber Solutions will provide an introduction to ‘Cyber Essentials’.
Speaking about the event, John MacAskill (Scottish regional representative for the BSIA) told Risk UK: “Computer-enabled crime and fraud now accounts for a higher proportion of UK crime than all other forms of criminality, so it’s more important than ever for companies to ensure they’re adequately protected from this growing threat.”
A report published earlier this year by the Institute of Directors revealed that, while 95% of respondents considered cyber security ‘very important’ or ‘quite important’ to their business, almost half of them had no formal security strategy in place, with 40% not knowing who to contact if their business suffered a serious security incident.
Chief Inspector Ronnie Megaughin, deputy CEO of the SBRC, said: “Cyber security breaches pose a very real and often underestimated threat to businesses in Scotland. It’s vital that businesses are made aware of the precautions they can take to fight this danger and who to contact if things do go wrong. By making sure the basic defences are right, businesses of every size can protect their reputation, finances and operating capabilities. Events like this are a great way of shining a light on this key issue. If we’re to see commerce in this country continue to flourish it’s absolutely vital all businesses take online threats very seriously.”
*To download a full programme and book your free place at what promises to be an interesting and informative event visit www.bsia.co.uk/events