home| T: 0118 955 3001| contact us| print page
IT systems

IT systems

It is hard to escape the fact that IT has had a huge impact on the context and implementation of data protection law, and so shouldn't be taken for granted. A big problem for many organisations is that, as technology becomes more advanced and sophisticated, the harder it is to protect their systems from individuals using that technology for illegal purposes, such as hacking. Many of our regular news stories include the results of some organisations not having appropriate measures in place to protect their personal data (whether it is theirs (as a Data Controller) or someone elses (as a Data Processor).

The Information Commissioner has the right to make assessments as to whether adequate organisational and technical measures are in place (Principle 7 of the Act), so it is worth considering the following questions.

  • Are your passwords secure? Many people have passwords that are extremely easy to guess, e.g. the name of a pet. Employees should be encouraged to choose something that would be difficult to guess as their password. It is also good practice to make them change their password on a regular basis.
  • Have you considered the risks involved in allowing employees to use laptops, USB keys and other mobile devices while away from the office? It is very easy to lose a USB key, or for a laptop to be stolen, for example.
  • Have you considered implementing encryption software? This may be especially useful where field-based employees need to use laptops.
  • Do you have sufficient anti-virus software in place, to prevent data from being damaged or destroyed?
  • Have employees been adequately trained to use the organisation's systems? Why have a highly sophisticated piece of software (e.g. Encryption), if it is then compromised by lack of knowledge and training.
  • Are there adequate policy and procedural documents in place to ensure that this area is taken seriously, and do they have board level support?

In summary, there are many factors for organisations to consider in order to comply with the area of the Data Protection Act requiring adequate safeguards to protect personal data. The best starting point may be to carry out an audit of procedures and systems in place, so that policies and training can be formulated, as well as providing an indication of what, if any, additional actions and measures may be required.