Lessons on the Data Protection Act

Breaching the Data Protection Act carries severe consequences and can lead to heavy monetary fines or even prosecution, writes James Kelly, chief executive of the British Security Industry Association.

For organisations operating in the education sector, being familiar with the Data Protection Act 1998 and their obligations to comply with it should be a priority. Breaching the Data Protection Act carries severe consequences and can lead to heavy monetary fines or even prosecution. Furthermore, the consequences of a failure to comply can be even further reaching, with a breach of the Data Protection Act posing a huge risk to organisational reputation and further pressure on already strained resources.

Fair and lawful
Under the Data Protection Act 1998, everyone responsible for using data has to follow the data protection principles. These include ensuring that data is used fairly and lawfully; used for limited, specifically stated purposes; used in a way that is adequate, relevant and not excessive; is accurate; is kept for no longer than is absolutely necessary; is handled according to people’s data protection rights; is kept safe and secure; and is not transferred outside the European Economic Area without adequate protection. Failing to abide by these principles can put a person’s information at risk, which can lead to identity theft and fraudulent activity.

Data breaches for organisations in the education sector also pose an added risk due to the sensitive nature of the information they hold relating to a student and the safety risks this can pose to minors. Therefore, it is vitally important that organisations of all sizes – that use data – understand their obligations under the Data Protection Act.

The seventh principle
The seventh principle of the Data Protection Act stipulates that an organisation must take appropriate measures against accidental loss, destruction or damage to personal data and against unlawful processing of the data. To fully comply with the Data Protection Act, a handler must have a written contract with a company capable of handling confidential waste, which can provide a guarantee that all aspects of collection and destruction are carried out in a secure and compliant manner. To ensure this, suppliers should comply with European Standard BS EN 15713:2009 for security shredding and also BS 7858 for staff vetting.

By searching on the Information Commissioner’s Office’s website, it is not difficult to find examples from all industry sectors where organisations have failed to comply with the Data Protection Act. Recent examples from the education sector include King’s College London and Brunel University London who both had to sign an undertaking to comply with the seventh data protection principle. In both cases, data was not kept safe and secure, representing a failure to comply under the seventh principle of the Data Protection Act.

When confidential data is no longer required by an organisation, it should be disposed of securely. This should be done through the use of a secure data destruction company that complies with EN 15713, to ensure that it is disposed of properly and is irretrievable.

Safe and secure destruction
BS EN 15713:2009 should be a crucial requirement for organisations of all types and sizes, as it provides recommendations for the management and control of collection, transportation and destruction of confidential material and recycling to ensure such material is disposed of securely and safely. The BSIA’s Information Destruction section was a key player in the development of EN 15713 and helped to provide specifications on how the processes should be handled within the secure data destruction industry. Adam Chandler, former chairman of the BSIA’s Information Destruction section believes that it is important for end-users in the education sector to have an understanding of the various elements of EN 15713 in order to make informed procurement decisions and ensure that they meet the requirements of the seventh principle of the Data Protection Act.

Chandler explains: “Essentially, EN 15713 ensures that companies providing data destruction services are doing so in a secure manner which provides maximum security for end-users’ information. The standard covers a number of key aspects of a data destruction service, from premises to personnel and a company providing data destruction services will need to meet these requirements to comply with the standard.

“The standard requires that premises used for confidential data destruction must have an administration office where the necessary records and documentation is kept for conducting business, which should be isolated from other business or activities on the same site. An intruder alarm installed to EN 50131-1 and monitored by an Alarm Receiving Centre should be present and the premises, which should also have a CCTV system with recording facilities monitoring the unloading, storage and processing areas. CCTV images should be retained for a minimum of 31 days unless otherwise agreed with the client.

“A written contract covering all transactions should exist between the client and the supplier and any sub-contracted work should only be allocated to other companies compliant with EN 15713. The client should be made aware if any sub-contractors are used. All staff should be screened in accordance with BS 7858 – security screening of individuals employed in a security environment code of practice – and should sign a deed of confidentiality prior to employment.

“Confidential material should remain protected from unauthorised access from the point of collection to complete destruction and should only be collected by uniformed and suitably trained staff carrying photographic identification. The destruction of confidential material should take place within one working day from arrival at the destruction centre, where shredding is taking place away from a customers’ site.

“There are also a number of requirements relating to the use of vehicles for the collection and transportation of confidential material, or the destruction of confidential material on a customers’ site. These include the ability to communicate via radio or telephone to the home base, the ability to be closed and locked or sealed during transit and the ability to be immobilised or alarmed when left unattended.”

Procurement and guidance
The BSIA’s Information Destruction section has produced a comprehensive, step‑by‑step guide to help end-users to navigate and understand EN 15713, which provides a full list of the requirements which information destruction companies should meet to be compliant with the standard. This guide also offers some additional recommendations on other areas of best practice which aren’t requirements under EN 15713, to help end-users make informed decisions when it comes to procuring or renewing information destruction services.

Using the information provided in this guide, along with the range of other publications published by the BSIA’s Information Destruction section – which includes a guide to the Data Protection Act for end-users – can help organisations in the education sector to understand their obligations to good data management.

Organisations can also find a range of information to help them comply with the Data Protection Act on the Information Commissioner’s website (www.ico.org.uk), including the recently launched SME Self‑Assessment Tool. Launched in February 2016, the tool helps small and medium sized organisations to assess their compliance with the Data Protection Act and was welcomed warmly by the BSIA’s Information Destruction section. Adam Chandler commented: “The self-assessment tool provides SMEs with a fantastic opportunity to ensure that they comply with the Data Protection Act. Compliance will help to reduce reputational risk and ensure that directors are not faced with fines or prison sentences for non-compliance.

“Users can take part in a comprehensive assessment covering all areas of the Act or, alternatively, break the assessment down into separate check lists tailored to their particular needs and risks.

“If you have concerns about your current confidential information destruction procedures, a good place to start is with some of the freely available information published by the BSIA’s Information Destruction section or to consult one of our members who would be happy to offer you guidance,” concluded Chandler.

The BSIA’s Information Destruction section consists of companies that securely destroy a range of confidential information, including paper, DVDs, computer hard-drives and other items that could potentially cause problems if they fell into the wrong hands, such as branded products and uniforms.

All members of the BSIA’s Information Destruction section are compliant with EN 15713 as part of their ISO 9001:2008 inspection and are committed to promoting best practice within the industry. For more information about confidential information destruction or to find a reputable supplier near you, please visit the website below.

Further information