Your duty of care for protecting client’s information…

Most businesses store details of their clients. This may simply be a name, email and telephone, but more often than not it will also include sensitive information such as bank account details, credit card numbers and transaction history. Whilst stealing this data is a crime, did you know that it is also a crime not to properly manage sensitive data? One of our data recovery clients was fined nearly £500K for a serious data breach from a single unprotected laptop. Most problems are exacerbated by employees with too much access who accidentally shares data, but do you know what your responsibilities are?

There are data protection principles that are published by the Information Commissioner’s Office and in the event of a data breach; it will be these principles that the seriousness of the incident will be assessed. Do not be alarmed though, because these principles are straightforward.

Data must be handled fairly and lawfully, meaning that you must have legitimate reasons for collecting data, be transparent on how you intend to use it and ensure there are no unjustified adverse effects for individuals. Data must not be processed in any manner other than for the primary purpose and that data should be kept up to date. It should not be kept for longer than is necessary.

Importantly, appropriate technical measures should be taken to safeguard the data. Whilst it is not discussed what these measures should be, generally it should be no less than the organisation would take to protect their own data. The provisions of ISO27001 (Information Management) go into further details about safeguarding data and we discuss these technical measures in further details throughout our data recovery blog. Limiting physical access and encryption are generally considered sufficient for data that is not considered especially sensitive.

Lastly the principles discuss transferring data, which is often overlooked by organisations. Transferring data outside the European Economic Area is frowned upon, unless the receiving organisation can guarantee an adequate level of protection and freedom of information for individuals and organisations. For a detailed description of the principles visit