Comment : Full Disk Encryption should be a legal requirement for any organisation that holds personally identifiable data

The most recently publicised data breach, the loss of a portable hard drive containing the details of up to 5,000 prison staff follows hot on the heels of news that a laptop was sold on eBay reputedly containing banking details of one million customers of a high street financial institution, and the loss of a USB stick containing details of 84,000 prisoners.

Whilst these incidents were as a result of human error, Marc Hocking, Chief Technology Officer of Security Firm BeCrypt claims that had the correct data encryption technology been in place, the likelihood of human error would have been significantly reduced.

Mr. Hocking went on to say, “If security is too cumbersome people will find a workaround, so it needs to include built in checks to prevent people from making mistakes. Encryption technology is now available that is easy to roll out to all computers and data storage devices within an organisation, it can be centrally managed and it is transparent to the end user, so it does not affect their ability to do their job.

“Furthermore, existing systems enable authorised parties to access data securely from any location but does not allow them to store any data locally, meaning that people would not need to save data to a USB stick or portable hard drive. The data would have remained on its home server where it was securely protected and encrypted. With the availability of these systems organisations can provide a safe and secure and yet flexible working environment for staff, so there is really no excuse not to protect people’s personal information more thoroughly.”

In the last three months, three separate reports have been published about Data Handling in the Government and Public Sector space;

• Data Handling Procedures in Government: Final Report, which was undertaken by the Cabinet Office;

• Sir Edmund Burton’s Report into the Loss of MOD Personal Data for the Permanent Under Secretary Ministry of Defence;

• and the Review of information security at HM Revenue and Customs: Final Report, by Kieran Poynter.

Each report makes a different set of recommendations that will impact widely on the public sector, the third party organisations that work with the public sector, and the wider business community.

However they all call for a culture change to one where personal data is treated with the utmost respect.

In many cases personal data is required in order to provide better and more personalised services, however, the data remains the property of the citizen, with the third party the custodian of, rather than the owner of, the data.

This underlines the fact that it is already a legal requirement for government organisations to protect personal data, and this should now be extended to cover all organisations.

Another common theme across all reports is that end users, ie staff, must be given clear guidance, including regular training, on the treatment and handling of data and that data security measures must be quantifiable, transparent, and easily open to scrutiny.
Mr. Hocking continued, “Public sector bodies are now required by law to follow data handling best practice when dealing with personally identifiable data.

Non public sector organsations need to think and act seriously about the legal requirements for protecting data. If data is lost from either public or private sector its impact can be equally disruptive and distressing.

For instance, if personal finance information appears on eBay, no matter where it came from and how it got there, individuals may still be exposed to the risk of identity theft.

Furthermore, the organisation that lost the data in the first place can be subject to large fines and bad publicity.”