Data Protection Act

The Data Protection Act 1998 (DPA) is based around eight principles of ‘good information handling’. These give individuals specific rights in relation to their personal information, and place certain obligations on organisations responsible for processing it.

Summary

This guidance sets out what an organisation needs to consider in a security breach. It is not a comprehensive guide to information security. It should assist organisations to determine an appropriate course of action if a breach occurs.

Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. Many organisations take the view that one of those measures might be the adoption of a policy on dealing with a data security breach.

However the breach has occurred, there are four important elements to any breach management plan:

1. Containment and recovery

2. Assessment of ongoing risk

3. Notification of breach

4. Evaluation and response

1. Containment and recovery

Data security breaches require an initial response to investigate and contain the situation and a recovery plan and damage limitation. This means having appropriate resources, isolating compromised networks, or changing access codes. As well as physical recovery of equipment, the use of back-up tapes to restore lost or damaged data could be involved. Plus notification to the police where appropriate.

2. Assessing the risks

Some data security breaches are merely inconvenient, while others may lead to identity fraud. Much depends on the type of data involved, whether it was encrypted, or its sensitivity, and the number of items.

There may be wider consequences to consider such as a risk to public health or loss of public confidence.

3. Notification of breaches

Informing individuals and organisations can be an important element in breach management strategy, and in many contracts it will be a legal requirement.

But informing is not an end in itself. Notification needs a clear purpose to enable individuals to take steps to protect themselves, or to allow appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.

From 26 May 2011 certain service providers have a requirement to notify the Information Commissioners Office (ICO). The ICO has produced guidance for organisations on the information they expect to receive as part of a breach notification and on what organisations can expect on receipt of their notification.

4. Evaluation and response

It’s important not only to investigate the causes of the breach, but also to evaluate the effectiveness of your response. Simply containing the breach and continuing ‘business as usual’ is not acceptable. Similarly, if the response was hampered by inadequate policies, or a lack of a clear allocation of responsibility, then it is important to review and update.

Dealing with a data security breach is much easier if you know which data is involved and where and how it is stored. And monitor staff awareness of security issues and fill any gaps through training or tailored advice.

The main provisions of DPA can be found in The Guide to Data Protection:

Download the ICO Guide to Data Protection by clicking this link (PDF)

Return to Regulation page