Bradford 01274 350 800
Leeds 0113 849 4000
Huddersfield 01484 915 000

Data leaks, employee mistakes and how to avoid being the next scandal

As technology develops, organisations are collecting and storing more and more electronic data.  We have seen the advent of ‘big data’, where the collection of large and often complex information creates challenges to traditional data processing, and have witnessed a number of high profile data leaks in the news recently involving some serious and very damaging security breaches.

The recent security breach of the Ashley Madison dating website is a good example of why maintaining data and system security is so important. Hackers stole 10 gigabytes of data, reportedly containing more than 30 million user names, addresses, phone numbers and email addresses which they then released online with serious ramifications for the individuals concerned.

In another recent case, an email, sent to subscribers of a newsletter from an NHS sexual health and HIV clinic, mistakenly contained the names and addresses of all 780 individuals who were on the mailing list.  This meant that all of those who received the newsletter, many of whom were sufferers of HIV, could see each other’s names and contact details. This came, not as a result of a hacker, but simply due to a mistake by an employee.

While not all organisations hold data as sensitive as in those cases, the incidents are a reminder that a security breach and the legal ramifications of a data protection failure can be very serious not only for the individuals whose details are exposed but also for the organisation itself.

The Data Protection Act 1998 requires organisations to ensure that personal information is stored and used securely.  With the increases in data storage, developments in technology and the ability of the Information Commissioner to impose real sanctions, organisations should be thinking carefully about information security. 

Appropriate data security procedures will differ for every organisation depending on its size, function and nature of the data collected.  Both technical and organisational safeguards are needed and organisations need to ensure clear accountability for the data they manage and the security measures they adopt.  Examples of measures which organisations should consider include:

  • Using computer programs to control access, amendment and rights to inspect data such as encryption technology, password protection and system threat alerts to detect unauthorised attempts to access data.
  • Adopting a business continuity plan and data back-up measures which should be regularly reviewed and updated.
  • Ensuring that all employees are appropriately trained on data security issues and the procedures implemented by the business.
  • Adopting an information security policy.
  • Rolling out straightforward physical controls such as locking doors and limiting access to only those people who require access to carry out their role.

For further information about data protection compliance please contact our Commercial Team on 0113 220 6284 or email luisadalessandro@schofieldsweeney.co.uk 

About the Author

Luisa D'Alessandro

Partner

As head of the commercial team Luisa has a wealth of commercial law experience and advises clients…

View Profile View all