How valuable is your company's data security policy?
Security policies form an essential part of effective data protection compliance. The Data Protection Act requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or damage.
Therefore, although policies are valuable in many different types of business, they form a fundamental part of those businesses which store and utilise high volumes of sensitive or confidential information. Not only do such policies aid companies in operating within the Data Protection Act but they can also be used to help minimise any repercussions where data security does, for whatever reason, fail.
However, in reality the effectiveness and value of Data Security Policies are only proportionate to manner in which they are applied and followed.
Alarmingly, an experiment carried out last month in London revealed that Security Policies are very easily undermined. IT skills specialist, the Training Camp handed out CDs to commuters explaining that they contained a special promotion. However, the CDs merely contained a programme which informed the Training Camp how many participants had tried to install the CD.
Despite the CD's packaging which advised participants to follow their company's acceptable use policy and which warned of the risks inherent in downloading unknown and unapproved third party software participants proceeded to open and install the CD and ultimately put the security of their company data at risk.
The CDs contained nothing harmful. However, the potential for damage to be caused by such a blatant breach of data security was immense particularly given that participants included both insurance and bank employees.
So how can data security be improved? How can a company make sure that data security policies are followed? A number of simple and practical steps can be taken. These include: ensuring that certain individuals are responsible for compliance; making areas where sensitive data is stored physically secure; using and updating passwords (and keeping them secret); providing different levels of access to data proportionate to the employee's role; shredding printed material when no longer required and checking the identity of those enquiring about data held before it is released. Additionally businesses should look to ensure that adequate training is in place to convey this information to its employees.
This article is reproduced from Eversheds e80 service. You can find out more about Eversheds e80 and search the Eversheds e80 archive at www.eversheds80.com.
e80 is provided by Eversheds for information purposes only and should not be regarded as a substitute for taking legal advice. It is reproduced here by kind permission of and is © Eversheds.
Discuss This Article