Businesses warned over data security | 21 November 07

NORTH businesses are being warned to keep a close eye on their sensitive information in the wake of the missing data scandal at HM Revenue and Customs.

An outcry has followed the revelation that personal details of up to 25 million people have gone missing after they were sent from the Child Benefit Agency in Washington to London.

However, data protection experts at North law firm Ward Hadaway say it is not just large public sector organisations which have to be careful about the sensitive records they keep, such as employees’ home addresses, National Insurance numbers and bank account details.

Judy Baker, partner at Ward Hadaway, explained that all businesses have to comply with data security principles – or face potential action.

Ms Baker said: “Whilst it is easy to point the finger at a large public sector organisation, every other organisation and every business in the land is required to comply with the data protection security principle.

“That principle requires the private and public sector alike to take appropriate technical and organisational measures against unauthorised or unlawful disclosure of personal information and against the accidental loss or destruction of, or damage to, personal information.”

If companies outsource their information handling to another provider, further checks have to be carried out on that provider to ensure it can offer guarantees of security.

There must also be a written contract with that provider that imposes the data security principle upon them and obliges them not to use the information in ways not permitted by the company.

Ms Baker added that the current crisis at HMRC is not the first time that a Government department has come under fire for the way it handles sensitive data.

She said: “Earlier this month, the Information Commissioner’s Office found that the Foreign and Commonwealth Office was in breach of the security principle.

“This followed an investigation into the online application facility for UK visas, which revealed visa applicants’ details to other visitors to the website.

“Cases like this and the current problems at HMRC illustrate how important it is for organisations to follow the data security principle – and particularly in the case of HMRC, the serious damage that can result when they do not.”