Data ProtectionCOST OF LOST DVDS: £150KMidwives fined for data lossThe data protection watchdog has urged organ<strong>is</strong>ations to reviewtheir policies on how personal data <strong>is</strong> handled. Th<strong>is</strong> warning fromAct. The council lost three DVDs related to a nurse’s m<strong>is</strong>conduct hearing,vulnerable children. The ICO found the information was not encrypted.said: “It would be nice to think that data breaches of th<strong>is</strong> type are rare,but we’re seeing incidents of personal data being m<strong>is</strong>handled again andagain. While many organ<strong>is</strong>ations are aware of the need to keep sensitivepaper records secure, they forget that personal data comes in many forms,including audio and video images, all of which must be adequatelyprotected. I would urge organ<strong>is</strong>ations to take the time to check their policyon how personal information <strong>is</strong> handled. Is the policy robust? Does itbeing followed in every case? If the answer to any of those questions <strong>is</strong>no, then the organ<strong>is</strong>ation r<strong>is</strong>ks a data breach that damages public trust anda possible weighty monetary penalty.”What happenedcase to the hearing venue. When the packages were received the d<strong>is</strong>cswere not there, though the packages showed no signs of tampering. Thecouncil searched for the DVDs, but they are still m<strong>is</strong>sing. The council,which voluntarily reported the breach to the ICO, as data controller hasreviewed its methods of exchanging sensitive information. According toDavid Smith, the council’s underlying failure to ensure these d<strong>is</strong>cs werepolicy appeared to ex<strong>is</strong>t on how the d<strong>is</strong>cs should be handled, and so nothought was given as to whether they should be encrypted before beingcouriered. Had that simple step been taken, the information would haveremained secure and we would not have had to <strong>is</strong>sue th<strong>is</strong> penalty.” Watchdog on surveyA survey for the ICO has shown many employers appear to have a‘la<strong>is</strong>sez faire’ attitude to allowing staff to use their personal laptop,tablet computer or smartphone for work business, which may be placingpeople’s personal information at r<strong>is</strong>k. The survey, by YouGov, suggeststhat near half, 47pc, of all UK adults now use their personal smartphone,laptop or tablet computer for work purposes. But fewer than three inten <strong>who</strong> do so are provided with guidance on how their devices shouldbe used in th<strong>is</strong> capacity. The watchdog publ<strong>is</strong>hed guidance on r<strong>is</strong>ksorgan<strong>is</strong>ations must consider when allowing personal devices to be used toprocess work-related personal information; in a ‘Bring your own device’(BYOD) way. Simon Rice, Group Manager (Technology), said: “The r<strong>is</strong>eof smartphones and tablet devices means that many of the common dailyto organ<strong>is</strong>ations, employers must have adequate controls in place to makesure th<strong>is</strong> information <strong>is</strong> kept secure. The cost of introducing these controlsthe type of processing being considered, and might even be greater thanwhen you consider the reputational damage caused by a serious databreach. Th<strong>is</strong> <strong>is</strong> why organ<strong>is</strong>ations must act now.” V<strong>is</strong>it www.ico.gov.uk.APRIL 2013 PROFESSIONAL SECURITY
AffordableCan you go wrongon human rights?Chr<strong>is</strong> Brogan sold h<strong>is</strong> business last year - andhe’s glad he did. He’s working on h<strong>is</strong> golfswing, doing some consulting, some speaking.He’s still as serious as ever about privacy andhow it can and will affect private security.European Union rules will come in on dataprotection in two or three years (as mentionedlast <strong>is</strong>sue); people are becoming more and moreaware of their rights, and make subject accessrequests; there are pressure groups, such as BigBrother Watch (BBW); and Liberty, which seekcases to take to court; and if your company <strong>is</strong> amulti-national, are you complying with privacylaw in other countries (and ever more countrieshave such laws). Chr<strong>is</strong> Brogan began h<strong>is</strong> talkto Ex-Police in Industry and Commerce (EPIC)at Birmingham by arguing that security, ‘nomatter how you package it’, <strong>is</strong> an intrusion intoa person’s privacy. He was not saying that youcannot do that intrusion; but (according to theHuman Rights Act article eight, the right to aprivate life) intrusion has to have a legal bas<strong>is</strong>,and be reasonable and proportionate. “Everysingle security function you are involved with hasto sat<strong>is</strong>fy all three limbs. Because if you aren’tyou leave yourself open to an action under theHuman Rights Act.”‘Outrageous’ fineWhile data protection and human rights (andRIPA covering surveillance by or for a publicauthority) might mean evidence <strong>is</strong> excludedin court and a lawyer could give you anuncomfortable time in court, an investigatorcan use such laws, he suggested. If you havean investigator’s mindset, Chr<strong>is</strong> said, throughFreedom of Information (FoI) requests you canget information from public authorities, and evenif (commercially) sensitive things are blankedout, maybe you can work out what the removeddetails are (by making other FoI requests of otherauthorities?!). Don’t get the impression that Chr<strong>is</strong>Brogan <strong>is</strong> somehow in favour of what we couldcall the data protection and human rights industry.Midwifery Council (see previous page), he said:“I think it’s outrageous.” The watchdog the ICO,bodies. As for the offence by the midwives’ body- three d<strong>is</strong>cs with personal data were lost - ‘OK,if your organ<strong>is</strong>ation lost sensitive information?www.professionalsecurity.co.ukData Protection CommentPRIVACY UPDATE:Would you get off? “I suggest not. Th<strong>is</strong> <strong>is</strong> howridiculous th<strong>is</strong> leg<strong>is</strong>lation has got.” He added thatthe ICO <strong>is</strong> looking for the maximum penalty foryears in pr<strong>is</strong>on, ‘and I am telling you, he will getit’, Chr<strong>is</strong> Brogan predicted.How th<strong>is</strong> appliesHow does th<strong>is</strong> apply to the security industry?He went through, CCTV and access control;then investigations. First, employee vettingand screening. Bearing in mind those three‘limbs’ - that breaches of privacy should belegal, reasonable and proportionate - he queriedchecks for county court judgments (CCJs) andbankruptcy for a security guard. Is it worth ther<strong>is</strong>k for a security guard? It might be worthwhileChr<strong>is</strong> Brogan stressed it was a matter of r<strong>is</strong>kmanagement: “What I am suggesting <strong>is</strong>, ifyou don’t know what the r<strong>is</strong>k <strong>is</strong>, how can youpossible manage it. And does your client wantto take that r<strong>is</strong>k?’ Chr<strong>is</strong> Brogan asked: supposehe applies to work for you as a guard. Whatrelevance does a CCJ have: “What are youtrying to imply? Are you trying to question mysuch a check? As for CCTV, he admitted that thetechnical side of CCTV went over h<strong>is</strong> head, but,he added, the privacy implications go over thehead of CCTV technical people. Is CCTV forsecurity, or monitoring? Chr<strong>is</strong> Brogan asked. Ifa line manager asks what time x came into work,because the manager suspects <strong>is</strong> a malingerer,<strong>is</strong> that the purpose of the CCTV. He suggestedworking as handlers of precious metals; but youshould make a privacy impact assessment (such aprocedure <strong>is</strong> on the ICO website) and accordingto the data protection principles. When sharingCCTV, of a protest outside your factory gates, forinstance; do you have to pixel-out all the othercompanies that offer pixelling services may sayso. As for investigation, <strong>is</strong> it internal or external;criminal, or civil? <strong>Who</strong> inside the organ<strong>is</strong>ation<strong>is</strong> going to author<strong>is</strong>e an internal investigation?someone senior write it off? If external, do youdo due diligence on the agency - and what of thesub-contracting? Are the contract investigatorsreg<strong>is</strong>tered with the ICO? As for outsourcedsecurity, he suggested such a contract requires adata protection clause, that requires the contractorto comply with data protection principles. About the speakerRegiment man has special<strong>is</strong>ed in privacy matters.APRIL 2013 PROFESSIONAL SECURITYThe NewCamera & DVR RangeSD CAMERASSD DVRsSD ACCESSORIESQualityProductsExpertAdviceCCTVStill the most popular segment of themarket, SD CCTV systems offer unbeatablevalue for money, and here at Y3K we arethe market leaders for unbeatable valuefor money! Check out our new range ofcameras and accessories, with featureslike, WDR, D1 recording, Push Video andmore as standard.AmazingValueLatestTechnologyFactory DirectPricesY3K0844 947 3000sales@y3k.comwww.y3k.comThe HD CCTV Special<strong>is</strong>ts