We have now all heard about the first fine potentially to be levied against British Airways. The fine is not there to punish accidents or problems that could not have been avoided. The fine is to punish for systemic failings, the accidents and problems that should have been avoided.
There are certain basics that need to be covered to demonstrate Accountability in data protection. You should have clearly defined Roles and Responsibilities, written and effectively published in-house Policies and Procedures and a programme of data protection training.
Some aspects of this control framework have let BA down on this occasion at least. IT security seems to have been an issue in particular. IT security is a subject in its own right, as lawyers we only advise on the organisational aspects of IT security, not the technical Information Security Management System aspects. Even so we would advise that IT security basics need to be communicated to colleagues.
What would we expect to see covered in an IT security policy?
- Access control functionality and management for all users of these systems.
- Access to systems will be governed on a need to know basis and personal responsibility for accessing data even when you have the right
- Security for mobile computing and teleworking, homeworking, hotdesking etc
- Password policy and the importance of keeping passwords secure
- Security for removable and portable media devices
- Bring Your Own Device security
- Appropriate Use Guidelines and that it covers
- The importance of security and systems integrity, for example not loading software etc.
- That certain activities (examples provided such as downloading games, unacceptable material etc) are considered “improper use”
- The restrictions on using company IT for personal use and outlining circumstances when IT may be put to personal use
As well as the technical controls, the IT security policy should also remind colleagues that:
- The confidentiality of data on IT systems including “personal data” (with a definition of personal data)
- That employee use of company IT is monitored
- Breach of the policy could result in disciplinary action.
Mandy Webster, Data Protection Consultant