During an election campaign it is
probably natural to ask ourselves what a government is for? And the answer is
to govern...to conduct the policy, actions and affairs of a state, organisation
or people with authority...to quote a dictionary definition. Obviously quite a
complicated business but when it comes down to it I believe it amounts to
setting boundaries.
That is what laws are. You can do
this but you cannot do that, and if you do we will punish you. In an ideal
world, any government’s legislation should leave its people in no doubt as to
how they are expected to behave, everything should be black and white, and we
should therefore understand the consequences of our actions.
Data security is regulated but
the legal boundaries are anything but clear. Not to the vast majority of
people. If you sat your average business manager in a room and asked him what
he was supposed to do with the data within his control, he would not have a
clue.
To a certain extent that is our
own fault. Not many people have ‘check the data protection act and how it
applies to my role’ on their to-do list. But they should of course. It would
make things so much easier in the long run, especially if the information
available was written so that anyone not related to Steven Hawking had a chance
of understanding it.
Here’s a thing. An example of
what I mean. When you dispose of an old Business PC, you are being governed
(that word again) by two sets of legislation...WEEE and Data Protection. One
classifies your old PC as waste and therefore it must be moved under a waste
transfer note, by a licensed carrier and all that jazz. Not very exciting and
we could have a debate about when it becomes waste, but essentially it is, so
there, live with it and get a waste transfer note. It is better than a fine.
But the data stuff is trickier.
According to the law you are not throwing out an old PC, you are giving away
your data. From the moment it leaves your possession, your risk is running
around outside of your control and protection and legally you need to show a
duty of care towards its security. If you have not and it all goes a bit Pete
Tong you are in the firing line of a £500k fine. Very soon you would be opening
up the doors of the Scrubs and heading for a six month stretch standing
nervously with your back to the wall!
Make no mistake about it; the
penalties are serious and getting worse. The misuse of data is taken very
seriously in Brussels and Westminster. Mess up through negligence or criminal
intent and you can expect to feel the full force of the law and the Daily Mail,
not necessarily in that order.
The law is often an ass but in
this case it is not. It may not be educating us in how to stay on the right
side of it enough for my liking but this idea that you are transporting data is
good sense. People disposing of an old piece of kit do not see the data, they
see the hardware. They are well used to passwords and network security and they
don’t really think about what is on the hard drive. So the law is trying to say
‘hey stupid, remember what’s on there.’
The law is trying to protect
everyone. Any data a business holds will involve someone else. It may just be
name, address and phone number but in many if not most cases it will include
sensitive stuff like bank details, medical records, financial information or
even criminal records. So the law reminds you to take care.
Hence the existence of some 800
recycling businesses in this country who will deal with IT or data-bearing
equipment. Or at least say they will deal with it. And this is where I get
worried about the laws. The fact is they make suggestions without defining what
they mean. They say use a specialist partner to make sure but they do not help
with that choice. There are no British standards, no Kitemark for data erasure
or destruction.
That in itself is not unusual.
There are many sectors that have no government standards and quite often the
sector gets together to try and set its own. The Press Complaints Commission
would be a recognisable example of an industry regulating itself. In our case
ADISA or the Asset Disposition and Information Security Alliance, which is an
independent body certifying members and setting standards, in conjunction with
the government, who do work around the edges.
However of those 800 business
less than 40 are certified by ADISA. And only 3 are approved by DIPCOG to work
in the MoD/Government space. Now this does not make the other 760 or the other
797 bad of course. It just suggests that in the absence of a national standard
they do not see the value of playing the game.
That is a shame. The waters are
muddy enough and we could do with some clarity. Because without it, who your
data walks out of the door with is rather left to chance. And it is you who
will pay the fine, not them. In a few months, when the new European laws get ratified,
it could be you, or one of your directors, who gets to do the porridge.
No comments:
Post a Comment