Protecting Your Data

Friday, 25 July 2008 9:16AM

Protecting Your Data

PROTECTING YOUR DATA

When the Data Protection Act 1998 came into force it put a legally binding duty of care on all organisations that stored the personal information of individuals. Under the Act they have to safeguard the integrity of such personal data and ensure that it is not disclosed in any form to any unauthorised person or persons.

The Data Protection Act is mandatory and all organisations that hold or process personal data must comply with its regulations. Therefore it’s incumbent upon such organisations to be aware of the detail of the Act and how it relates to their business.
See: http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1

As has been widely publicised, a significant breech of the act may have occurred recently through the loss of discs containing the personal information of millions of British citizens.

As an organisation involved in credit management you will be similarly responsible for the secure storage, retrieval and transmission of potentially millions of pieces of personal information.

Are you sure that you are legally entitled to hold all the data that you have on file?
Are you confident that your in-house, mobile and online access systems and transmission procedures are totally secure?

These are just some of the questions legal and credit management firms must review on a regular basis if they are to stay on the right side of the Data Protection Act.

One way to ensure that you do is to establish and maintain a ‘security plan’ within your organisation.

Unfortunately, too many firms see data security as an unnecessary expense as it has no immediate impact on their bottom line. On the contrary, we would suggest that rather than categorizing such security as an IT concern, you should consider it as a business issue. Offline and online data access has become an intrinsic part of conducting modern business, which therefore makes security planning as important as any other form of business planning – irrespective of the legal obligations.

We therefore recommend the establishment of an organisation-wide security plan and regular security audits. When conducting such in-house operational audits, the presence of unsecured, badly configured, or unauthorized transmission devices such as modems can undermine the most detailed security plan. People may set up modems accessible with no password or an easily guessed password. These modems are vulnerable to hackers who call numbers systematically until they find a phone number that connects to an unsecured dialup access.

If a computer with a rogue modem is connected to your organization’s network, almost anyone with the appropriate skill and malicious intent can use it to access your network. Firewalls don’t protect against this type of attack. The intruder gains access via phone lines, bypassing the firewalls that protect your organization’s network borders.

Security planning does not simply encompass the methodology involved in the secure storage of personal information. It’s not simply what data is stored or how it is stored, it also includes how it is transmitted and copied between one location and another. Therefore encryption techniques and password protection policies should be an integral part of the plan and reviewed on a regular basis.