Data Security

Protecting the integrity and security of stored data is a prerequisite of law in the UK. To be brief, once you collect information, you are directly and legally responsible for it. This page briefly outlines your responsibilities along with a few practical suggestions in regards to data security.

Data Security Responsibilities

"All data controllers have a responsibility under the Data Protection Act 1998 to ensure appropriate and proportionate security of the personal data they hold." (DPA 1998, 7th Principle)

This means that if you collect personal data on your clients, contacts or customers, you have a legal obligation to protect that data. While the government hardly expects you to solicit the services of Fort Knox, it does expect you to make every reasonable attempt to hold personal and private information secure.

Data Security Suggestions

  1. Create an information and data security policy. Stay Legal can help you establish protocols specific to your business operation.
  2. Keep your long-term data storage offline. Older and closed files, for example, can be stored in an offline file server, accessible only via your corporate Intranet.
  3. Only hold critical data in an Internet accessible database. While it may be important for your staff to access information on your clients and customers, not all records require electronic storage.
  4. Use basic encryption on sensitive files. Your employees will be able to access them but they will appear as gibberish to anyone without the correct encryption key.
  5. Require your staff use an Alpha-numeric password convention which combines numbers with letters to make a more secure password. (for example: the word "Freedom" could be expressed, "fr33d0m"). Alpha-numeric passwords are far harder for hackers to crack than are standard alphabetic passwords.
  6. Log and record all access to files containing personal data.
  7. Never share personal data with third-parties unless a contractual agreement protects that data from misuse or further distribution.
  8. Shred all obsolete paper files.
  9. Destroy all unused or worn-out hard-drives. Contrary to popular belief, you can not fully erase information contained on a hard-drive. The only way to ensure that information is secure after disposing of obsolete equipment is to render that equipment useless.
  10. Create a secure password system with customers, clients and business contacts wishing access to their own personal information.

"Commercial lawyers that provide a no-nonsense creative legal service for creative people"