Data security is the prevention of unauthorised access to, the abuse of, misuse of or loss of personal data.
Principle 7 of the Data Protection Act states that data must be kept secure in order to prevent loss or unauthorised disclosure.
The financial services regulator and the Information Commissioner view loss of personal data as a very serious breach.
Identity theft is feared by many consumers and any risks taken by businesses in this area can lead to high profile media coverage and consumer outrage. This is damaging to the business’ reputation, in addition to the fine which can be levied.
All businesses handling personal data, therefore, are expected to exercise a high degree of risk management in this area.
Technical security measures to protect computerised information are of obvious importance. However, many security incidents relate to the theft or loss of equipment, or to old computers or hard-copy records being abandoned.
Physical security includes things like the quality of doors and locks, and whether premises are protected by alarms, security lighting or CCTV. However, it also includes how you control access to premises, supervise visitors, dispose of paper waste, and keep portable equipment secure.
As part of its security measures, an organisation ensures that information on laptop computers issued to staff is protected by encryption, and that desk-top computer screens in its offices are positioned so that they cannot be viewed by casual passers-by. Paper waste is collected in secure bins and is shredded on site at the end of each week.
Computer security is constantly evolving, and is a complex technical area. Depending on how sophisticated your systems are and the technical expertise of your staff, you may need specialist information-security advice that goes beyond the scope of this guide. A list of helpful sources of information about security is provided at the end of this chapter. You should consider the following guiding principles when deciding the more technical side of information security.