Data security breaches – new guidance from the Information Commissioner

The Information Commissioner's Office (ICO) has published new guidance on how organisations should deal with a breach in data security. The guidance aims to provide information for companies as to what to do when a breach occurs, and whether or not the breach should be reported to the ICO.

In its guidance note, the ICO notes numerous potential causes of security breaches, including the loss or theft of equipment on which data is stored, human error, online hacking, people obtaining information by deception or inappropriate access control allowing unauthorised use of data.

10th June 2008

The Information Commissioner's Office (ICO) has published new guidance on how organisations should deal with a breach in data security. The guidance aims to provide information for companies as to what to do when a breach occurs, and whether or not the breach should be reported to the ICO.

In its guidance note, the ICO notes numerous potential causes of security breaches, including the loss or theft of equipment on which data is stored, human error, online hacking, people obtaining information by deception or inappropriate access control allowing unauthorised use of data.

The guidance notes that, irrespective of how the breach may have occurred, companies should have an effective breach management plan in place. The plan should, according to the ICO, have four elements:

  1. containment and recovery;
  2. assessment of ongoing risk;
  3. notification of breach; and
  4. evaluation and response.

Containment and recovery
The ICO emphasises the need for companies to have a damage limitation strategy. The guidance note highlights the importance of obtaining input from specialists in IT, HR and legal matters, as well as external advisors where appropriate, in order that an organisation can contain any damage caused by a breach in data security. Examples given of effective containment include doing something as simple as changing the access codes on a door, or the use of back up discs to restore lost or damaged data. Ultimately, the guidance suggests that an organisation may need to inform the police of a security breach where appropriate.

Assessment of ongoing risk
The guidance note suggests that organisations appraise the risks that any data security breach has created. It contrasts the position of, for example, a laptop being irreparably damaged but whose files were backed up and can be recovered, with that of a customer database being stolen, with personal data relating to individuals leading potentially to serious and possibly criminal consequences. The message from the ICO on assessing risk is that, beyond containment of a security breach, organisations must consider what harm might be caused to consumers or other individuals as a result of the breach, in order that a cautious but proportionate response can be made.

Notification of a breach
Perhaps one of the most useful parts of the guidance is the section dealing with when and how an organisation should notify people of a breach of data security. The ICO's note emphasises that notifying people of a breach is not all that must be done – it notes that a notification could contain advice on how affected individuals might take steps to protect themselves, or it might give relevant information to regulatory bodies so that they can carry out their functions quickly and effectively.

Evaluation and response
The final element that the ICO suggests should be contained in an organisation's breach management plan is evaluating how a breach was caused and how that problem can be dealt with in the future. The guidance suggests that organisations suffering a breach of security should assess the reason or reasons for the breach and change policies or practices that may have led or contributed to the breach. The ICO emphasises the potential danger of organisations adopting a 'business as usual' approach following a breach, without taking stock of how the breach occurred and how a similar problem might be avoided in future.

Data Protection versus Freedom of Information – House of Lords to decide
The House of Lords has heard arguments in a case involving issues over the compatibility of data protection laws with freedom of information (FOI) legislation. The case of Common Services Agency v Scottish Information Commissioner is one that could have significant consequences for the way that laws on data protection and FOI interact.

The case stems from a request, made on behalf of a member of the Scottish Parliament, for statistics showing the incidence of childhood leukaemia in children between the ages of 0 and 14 in the Dumfries and Galloway area. The relevant public body, the Common Services Agency (CSA), entered into an exchange of correspondence with the applicant before deciding that it could not release the information. The CSA concluded that, although the FOI legislation meant that it was generally obliged to provide information to applicants, the effect of the Data Protection Act 1998 was to prohibit it from releasing the information being requested.

The applicant appealed to the Scottish Information Commissioner (SIC) against the CSA's decision and the SIC accepted the applicant's appeal and ordered the CSA to release the information. The CSA then appealed against that decision and, having had its appeal rejected in the Court of Session in Edinburgh, it brought the current appeal to the House of Lords.

Essentially, the CSA justifies its original decision against disclosure by arguing that to release statistics about medical conditions affecting individuals in a group of people in such a specific and small geographic region would mean that it would be highly likely that individuals could be identified. Arguing against this, the SIC contests that there is a well-established method of anonymising statistics (known as 'Barnardisation') that, if implemented in this case, would mean that individuals' identities would be sufficiently obscured.

While the Court of Session had accepted this argument of the SIC, it became clear during the early stages of the House of Lords proceedings that the House of Lords did not regard 'Barnardised' data as sufficiently anonymised to allow it to be considered as random information rather than personal data. The CSA's arguments were supported insomuch as the law lords accepted that the Barnardisation process is imperfect and may not necessarily lead to obscuring identities sufficiently.

The question to be answered by the law lords is whether Barnardisation allows information that would otherwise be considered personal data (and therefore exempt from release under the FOI scheme) to be viewed as information eligible for disclosure on request.

A second issue being considered by the House of Lords is whether the purpose behind a FOI request is relevant in considering whether requested information should be disclosed. The assumption in cases and hearings so far has been that the reason for a person bringing a FOI request is irrelevant, but this case presents the law lords with the opportunity to rule that it might be permissible, in a limited number of cases, for a public authority to take into account the reason behind a FOI request in deciding whether to allow that request.

The decision of the House of Lords in this case has the potential to overturn existing assumptions about how FOI requests should be treated and, in particular, the type of personal information that would otherwise be considered to be protected by data protection legislation and immune from disclosure as a result of FOI requests.