Security measures under the Data Protection Act
Data Controllers must take adequate and appropriate steps to prevent:
- Unauthorised or unlawful processing of personal data,
- Accidental loss of personal data; or
- Destruction or damage to personal data
This duty is particularly onerous on employers and includes the obligation to protect data stored on laptops, mobile phones and tablet computers.
Data Controllers need to take steps to ensure that if there is a chance of a mobile device being lost or stolen that the personal data that may be stored on these devices are encrypted. The Information Commissioner can take steps to issue enforcement notices for this requirement against employers regarding any breaches of this requirement.
Enforcement notices can be to tighten security, introduce encryptions and/or further security measures and will usually give a date by which the notice must be complied with. Should the notice not be complied with then criminal convictions and fines can follow.
Security for personal data needs to be taken seriously and this will also extend to the transmission of personal data to third parties which could be intercepted.