Saturday, 23 January 2010

Who is responsible for data security?

This is one of my favourite topics and one that businesses typically overlook.

Let’s look at an imaginary example with the rather snazzy names of The XYZ Coffee Bean Company and Acme Payroll Services. The XYZ Coffee Bean Company has outsourced payroll processing to Acme Payroll Services. Acme Payroll Services now holds personal information, bank details etc for all of the staff at The XYZ Coffee Bean Company. Acme Payroll Services has a security breech and the personal details of staff at The XYZ Coffee Bean Company are stolen.

Q. Whose responsibility was it to secure The XYZ Coffee Bean Company payroll data that was stolen from Acme Payroll Services?

A. The XYZ Coffee Bean Company.

This answer usually surprises people, after all Acme Payroll Services should have provided a duty of care to The XYZ Coffee Bean Company and Acme Payroll Services should have been responsible for securing their own environment and protecting their customers? Morally the answer is yes, legally the answer is nope!

I have been speaking to lots of organisations about Section 144 of the Criminal Justice and Immigration Act of 2008 because it sets out the responsibility of the data controller / custodian (who owns the data) and the data processor (who handles the data). It has been a scary journey with most organisations being unaware of this. I am afraid that if an organisation owns the data, then that organisation is responsible for it, no matter where it goes, even to third party organisations.

I think this approach is great because it puts to responsibility directly onto the company that initially gathered the data. I want to know that if I give my personal details to The XYZ Coffee Bean Company they will be legally bound to ensure it is looked after, no matter where it goes. If they don’t take care of it, they are liable, not the third parties that they farm my data off to so it should make them more responsible.

Wouldn’t it be refreshing if (a) organisations actually knew Section 144 exists and then (b) put processes in place to ensure they complied with it?

Never mind, I guess until more organisations take section 144 seriously we will continue to have a slipshod approach to securing data.

1 comment: