Information management and encryption
The collection, processing and storage of data is growing and managing data correctly becomes a bigger challenge each year. Regulation such as the Data Protection Act, which now carries severe financial penalties for transgression of its rules, is making business owners sit up and pay attention to an area that has not been an area of focus for many. This is especially true of small and medium sized businesses, who often lack the in house expertise or manpower to tackle information management. Many firms find the process of reviewing how they collect, process and store data extremely useful and often find new opportunities for their business using data they already have.
Managing personal data
The Data Protection Act 1998, governed by the Information Commissioner’s Office (ICO) is the key regulation for designed to protect personal data and stipulates 8 key principles for managing personal data.
Personal data must be:
- Fairly and lawfully processed
- Obtained only for specified purposes and not further processed in a manner incompatible with those purposes
- Adequate, relevant and not excessive;
- Accurate and up to date
- Kept for no longer than is necessary
- Processed in line with the rights afforded to individuals under the legislation, including the right of subject access
- Kept secure – that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction
- Not transferred to countries outside the European Economic Area without adequate protection
As IT professionals, we focus on principle 7 and look at mitigating risk by ensuring:
- Only relevant persons have the appropriate access to personal data
- Data is stored and transmitted in a secure way
- Business processes define clearly how personal data should be handled
- Adequate protection against loss is in place
- A clear “Breach Management” process detailing what steps need to performed in case of a breach
Our consultants can help you to review your use of personal data and put appropriate measures in place to ensure you can demonstrate compliance to the DPA.
Encryption
Many of the headline grabbing news stories of the last 10 years typically involved the loss of laptops, portable storage media or CD/DVD media containing personal data; due to their portable nature, these devices are naturally prone to theft or loss. Another area of risk is the transfer of data via email, unsecured websites or file transfer – these are all open to interception and should also be protected. One of the most important tools to protect personal data is encryption. Put simply, should personal data fall into the wrong hands, it could not be used without the correct key.
By using encryption you can demonstrate that your business has taken all reasonable precautions and should loss occur, the risk of unauthorised access is removed.
We can carry out an evaluation and support you with the following:
- Defining an encryption policy to protect data in transit and storage
- Installation of an encryption solution appropriate to your business
- Holding in escrow emergency decryption keys and tools – these should not be kept with encrypted devices for obvious reasons
- The use of signed or encrypted email
While all this can start sounding complicated (and expensive) we offer simple solutions and open source software can remove the need for expensive software licences. By using encryption as part of your overall security and data management policy, you can help protect your business, comply with legislation and protect your customers. Many government, charity and corporations mandate the use of encryption this way and there is no reason why you should not, either.
Backups
A requirement of the DPA is that ability to recover from data loss so carrying out regular data backups is key. Read more on our Data Backups page.
Talk to us on 0845 544 0307 and see how we can help you with information management to keep your business operating smoothly and safely.