Get the basics right …
23rd January 2015
You may get the impression reading this blog that I am obsessed with the Data Protection Act, and what can go wrong when organisations fail to do the basics.
Well, I guess I have to hold my hands up – I do sweat about the small stuff, but it is only because I care, and some really good, honest companies have ceased to be just because they forgot to do the basics.
To help you avoid some of these basics I thought I would tell you about some examples of what happens when the basics of Data protection are ignored, and so here is the first.
PRINCIPLE 5 Personal Information should not be kept for longer than is necessary
Principle 5 basically says that you should delete personal information as soon as you no longer need it. However, many companies and organisations seem obsessed with keeping personal data ‘just in case’.
“Just in Case of what I often ask my clients?”
The issue of when is the ‘right’ time is always an interesting conversation. “You are aiming for the ‘Goldilocks’ Zone” I tell them, not too soon, not too long, but just right!
CASE STUDY
Just this month the Shoe retailer ‘Office’ signed an undertaking with the Information Commissioner committing to address issues of data protection.
The high street and online shoe retailer was in trouble after the personal data of over one million customers was left exposed due to a hacking incident.
The hacker managed to gain the potential to access customers’ contact details and website passwords via an unencrypted database that was due to be decommissioned. The hacker bypassed other technical measures the company had put in place and the incident went undetected.
This is basically a classic tale of personal data being kept ‘just in case’. Probably the theory was sound, keep the information until the new system was live. The trouble was that the database was left accessible after the new file had gone live, and also it was left vulnerable to hackers.
Sally-Anne Poole, Group Manager at the Information Commissioner’s Office said:
“The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data. “All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.”
