RSM Tenon on secure IT systems
THE Guardian recently reported that the Greater Manchester Police Force were fined £120,000 following the theft of a USB stick containing the details of over 1,000 people with links to serious crimes from a detective's home. The unencrypted device had no password protection.
While many of us will consider this completely unacceptable from a public body, it is a useful reminder that the security of data is important to any organisation.
Memory sticks are now so powerful that they can contain significant amounts of data and yet they are so small that they are easily lost, misplaced or, as in this case, stolen because it was held in the detective's wallet.
The Data Protection Act contains eight basic principles, one of which is that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to data.
WITH THIS VOUCHER YOU PAY JUST
1. Voucher is not exchangeable for cash and is non-refundable.
2. Voucher can only be used once, per customer, per transaction.
3. Cannot be used in conjunction with any other offers or promotions.
Contact: 01246 386616
Valid until: Tuesday, May 28 2013
Employers may be expected to adopt computerised back-up procedures, and to ensure that only authorised persons within the organisation have access to personal data. So is a well written IT policy sufficient? The reality in our experience is that many employees do not take the time to read the document and regrettably many employees also don't believe it all applies to them. Additionally, it is incredibly difficult for an employer to police their own policies and ensure that organisational data or personal data is not leaking either purposely or accidently.
A well-written IT policy should stress the importance of data security, what it means by data security, what procedures apply to each employee, and what the penalties could be if an employee does not follow their procedures.
All areas of IT should be covered, including use of company equipment, downloading software, use of the internet and e-mails, unacceptable behaviour such as discrimination or bullying/harassment and in particular the growing medium of social media. Since memory sticks are so easy to use and lose, then a separate section may be beneficial.
Ideally employees should be asked to sign to say they have read, understood and will abide by your policy (so that no one can later claim they were unaware).
Organisations should work with their IT specialists to come up with sensible, practical and affordable solutions to support the policies. If your policies allow you to monitor the use of IT in your organisation, then it is good practice to do it every so often and then to follow through to give staff feedback that you have done so, which demonstrates that you are keeping your promises. If you do find misuse of any kind, then follow this up without delay.
You should also strengthen your policies surrounding termination of employment since it is not uncommon for some leavers to consider they have a right to take with them lists of clients, suppliers, and documents. Sensible precautions involve restricting access to data once it is known that an employee is leaving and should be applied to all leavers regardless of the circumstances of their termination.