Data Protection and e-mail security
For many years data protection and email security has been quite straightforward as you kept all the data in the office and you have physical security methods. However with the increasingly mobile society that we live and work in things have changed considerably.
The Data Protection Act 1998 (the Act) requires anyone who handles personal information to comply with a number of important principles. It also gives individuals rights over their personal information. Individuals have a wide range of rights under the Act, including access, compensation and the prevention of processing.
If you like our articles, why not subscribe to our free monthly newsletter with regular Private Client news, views and advice from leading legal minds. It's quick, easy and you can unsubscribe at any time if you no longer want to receive it.Sign Up Now
If you handle personal information, you have a number of important legal obligations.
- In the UK you are obliged to be registered with the Information Commissioner’s Office (ICO)
- Pay an annual fee if you are processing data other than say an address book for personal use or just say staff records
- The office must be notified of the type of data you are processing and the purpose
- If the type or purpose of the data changes then this must be updated with the ICO.
The Data Protection register is a matter of public record and is open to inspection as it is a basic principle of data protection that the public should know (or should be able to find out) who is carrying out the processing of personal information as well as other details about the processing (such as for what reason it is being carried out).
Failure to register is a criminal offence.
The regulations in Europe under Directive No 95/46/EC set out seven key principles that relate to date processing and protection for the subject whose data is being processed.
- Notice-The person must be notified when data is being collected about them
- Purpose- The data collected can only be used for the stated purpose given when getting permission to collect the data
- Consent-You agree that you will as a data processor not disclose that data without the subjects consent
- Security- The data should be held securely from abuses
- Disclosure-It must be disclosed who has collected the data
- Access-The subject must be given access to the data for which a reasonable fee may be charged and the subject should be able to make corrections to the data
- Accountability-There should be a method to hold the data collectors accountable for the above requirements being met.
If it is an issue relating to Health then under Article 8 then extra rules apply.
So those are the rules but what is the reality? Do you have e-mails not only on the office computer but on your laptop, your phone, your iPad?
While maintaining security in an office can involve keys and security passes; your data, when mobile is far more vulnerable, so what should you as a firm be doing to ensure that data is being kept securely?
- Make sure that you know which employees have remote access and keep this strictly limited so any documents are saved back on your server and not on the home PC. One way to do this is to use “Log me in” which is a secure way to access a computer remotely. The link for more information is www.logmein.com
- Make sure that employees have their own passwords and these are regularly changed as this will make it easier to trace any breaches
- Only allow e-mails to be synched with work owned phones and make sure these are set up with password protection
- Make sure laptops and other mobile devices are password protected.
- Make sure data is encrypted when it is in transit so it cannot just be intercepted and read.
- Have a “kill” type program set up. What this does is enables all data to be erased remotely if a phone or other device is stolen. Possible programs for this include:-
- a. Lookout Mobile security that backs up your device too. This works with Android Blackberry and Windows Phones. The basic version is free and the website link is https://www.mylookout.com/
- Mobiwee offers a slightly different app but includes the ability to trace your phone now that could be annoying for the thief! This works with Android, iPhone, Windows Phones and is beta testing with Blackberry at the moment. Here’s the link if you want to learn more http://www.mobiwee.com/downloads/index.jsp
- FN Suite Anti-theft –This one only works on Nokia phones and the list can be found here http://www.getjar.com/mobile/36734/fnsuite-antitheft/
- FindMyiPhone from Apple is free software that can trace your phone and allows you to remotely wipe it. It works very well but only works for iPhones and iPads.
- Be wary of use in Public HotSpots. Most of these use open WiFi connections that means your data is unencrypted between your device and the WiFi hotspot. You can secure your connection by using a Virtual Private Network to connect to your office.
If you fail to comply be aware the penalties are not cheap.