Page 274 - DCAP104_EXPOSURE_TO_COMPUTER_DISCPLINES
P. 274

Unit 14: Taking Protected Measures



                                                                                                  Notes
             The complainant, an employee, made his complaint while the computer system was still being
             developed and implemented by the organisation. He made the following points. First, he
             alleged there had been a breach of security because the laptops were without any password
             protection for a period during the development of the system. Second, the complainant objected
             to certain of his personnel data and details of his work activity being generally available to
             staff, and argued that such data should only be available to those who needed them to perform
             their managerial functions.

             Section 2(1) (d) of the Data Protection Act provides that “appropriate security measures shall
             be taken against unauthorised access to, or alteration, disclosure or destruction of, the data
             and against their accidental loss or destruction.” The question of the security of access to the
             laptop computers was considered in the light of this provision.
             My investigation established that each laptop required use of a password for access to the local
             version of the database. Where a laptop was establishing a connection to the main computer,
             another password was needed, and access to the main database itself required the use of a third
             password. In principle this approach appeared to conform well to the requirements of section
             2(1) (d) above. However, the apparent effectiveness of this approach had been compromised.
             In the interests of simplicity of operation the organisation issued a unique centrally-generated
             password to each member of staff (so that each staff member would only need to remember one
             password) thus reducing the effectiveness of the password system as a whole. Furthermore,
             in the course of training staff on an upgraded version of the software, the password security
             system was modified to allow trainees ease of access to the system. This modification gave
             open access to the main database from a number of laptops.

             As soon as this fact was discovered, the data controller took steps to rectify the matter. It is
             not appropriate for a data controller to allow his standards of security to slip, so that personal
             data becomes more widely accessible than is necessary. However, I noted the prompt action
             taken by the data controller to put matters right, and - given that my investigation did not
             discover any evidence of unauthorised access or use of the data during the period when the
             passwords were not in operation - I did not uphold this part of the complaint.
             The second ground for complaint put forward was the alleged wide availability throughout
             the organisation of details relating to the complainant’s work activities including particulars
             of annual and sick leave. This raised two separate but related issues: first, whether this wide
             availability constituted “disclosure” for the purposes of the Data Protection Act; and second,
             whether the wide availability of data was consistent with the organisation’s duty to take
             “appropriate security measures ... against unauthorised access to, or alteration, disclosure or
             destruction of, the data and against their accidental loss or destruction.”
             On the first question, I noted that the only people with access to the main database were the
             staff of the data controller. The definition of “disclosure” given in section 1(1) of the Act,
             specifically states that disclosure “does not include a disclosure made ... to an employee ...
             for the purpose of enabling the employee ... to carry out his duties”. In my opinion, these
             words require a data controller to make an assessment, in respect of particular employees,
             as to whether such employees need to have access to particular holdings of personal data,
             and to provide accordingly. Thus, one would expect a Human Resources Manager to have
             access to personal data not necessarily available to the manager of a client database, and vice
             versa. Data controllers should, in my view, take reasonable steps to prevent personal data
             from being made available to employees who may have no work-related interest in the data.
             On the second question, I consider that sensible restriction of the availability of personal data
                                                                                Contd...


                                             LOVELY PROFESSIONAL UNIVERSITY                                   267
   269   270   271   272   273   274   275   276   277   278