The Data Protection Act 1998 is a UK Act of Parliament enacted to protect personal data stored electronically or manually. It stipulates the regulations for how businesses in the UK can assemble, store, and make use of people’s classified data. It is pertinent to note that this Act has been replaced by The Data Protection Act 2018.
The Act has eight cardinal principles regarding data protection. These principles are built around the concept that collecting and utilising personal data ought to be done decently and legitimately. Furthermore, only the correct information should be utilised, and it must be done accurately.
Principle 7 Of The Data Protection Act
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage, to personal data.”
The Information Commissioners Office explains Principle 7 of the Data Protection Act further. It means that organisations should possess appropriate security measures to protect the personal data they hold from being compromised, deliberately, or accidentally. Different businesses take different approaches to put these security measures in place.
There are several digital breaches in security and high-profile hacks today. Therefore, you need to be aware of the various means of safeguarding data. It is also essential to consider who would be responsible for security breaches and making an emergency plan if there is a breach.
As much as safeguarding ‘live’ data is essential, it is also crucial to protect data that is no longer in use. Principle Five of the Act stipulates that when personal data is no more needed, it should not be kept indefinitely, but disposed of accordingly. In guarding against losing personal data accidentally, firms should hire companies that can handle such data disposal. Also, the companies should guarantee that collecting and disposing of data are done securely and according to directions. This is to say that they must meet European Standard BS EN 15173:2009 with regards to security shredding. They must also meet European Standard BS 7858 with regards to staff vetting.
These standards deal with every aspect regarding data destruction, from securing the premises to hiring appropriate personnel. Also, it covers subcontracting arrangements of any kind and security of transport vehicles.
Security Shredding is the safest way of disposing of data that is no longer in use. Simply deleting data does not guarantee that they cannot be recovered later. The most reliable and guaranteed way to destroy storage devices holding data is physical destruction. One could hire the services of a shredding company for this purpose too.
It is also pertinent to note that items that have nothing to do with personal data could endanger a firm’s reputation. This is especially so if they fall into the wrong hands. Such items include branded uniforms and products. Luckily, they can also be shredded, thus effectively disposing of them.
There are some other things to note as regards the seventh data protection principle. In protecting personal data a business holds, it is essential to:
- Create security measures that are tailored to the type of personal data being held. The security measures should be designed to protect against the consequences that may be suffered from a breach.
- Appoint a person or company to be responsible for ensuring data protection and security.
- Ensure that appropriate technical and physical security measures are put in place, supported by effective procedures. Furthermore, there ought to be well-trained and efficient staff to help carry out these procedures.
- Have a contingency plan of responding to security breaches effectively and promptly.
Ensure that digital security is appropriate to the use and size of the firm’s systems.
Also, in choosing an appropriate data disposal company, there are some things to take note and look out for. They include:
- Any data disposal company you hire ought to be one that is as concerned about data protection as your company is. It is even preferable if they are more concerned than you.
- Look out for an independent approval of the products the company uses in disposing of data. An example of such approval is the NCSC. The NCSC, formerly known as CESG, is the national technical authority of the UK government concerning information assurance. You may need to have a client site appraisal and audit of the disposal company of your choice.
- Ensure that the procedures your desired disposal company employs are such that would give you the results you seek.
It is essential to keep in mind that the goal is to satisfy Principle 7 of the Data Protection Act. As a business, you are bound by law to protect the personal data that you have acquired.