Lee & White

Dedicated to Excellence
  • Home
  • About Us
  • Services
  • Blog
  • Press
  • Publications
  • News
Home > Blog

Go Back

Protecting People's Data

Posted by: Lee & White

Friday, August 29, 2008

Confidential Data TheftOne of the duties of being a data controller is to adequately protect the personal data entrusted to you by your data subjects. The law remains pretty vague and does not specify how much 'adequately' is.

Amongst others it means that you need to implement adequate technical means to protect the data, and put the necessary security measures in place.

Another point tells you to limit who has access to that data, ensuring that data is accessed only on a need-to-know basis. For example, the receptionist needs to know the name and company of customers who will visit the company today, but does not need to have access to their credit card data. The IT technician needs to know names and user access rights to perform his duties, but not confidential financial data.

Speaking of which, most companies' IT departments are a serious risk to security. Developers need to be able to develop their software and to do so, need access to code and data. Often this means that they have not only access to test data on test servers but also to real data on production servers.

They implement easy to remember user accounts - so called super users - which give them access to every part of the applications and databases, even the most confidential. These are rarely changed and are accessible to the complete development team, not to a specific developer. This also means that when a developer or IT consultant leaves the company, the password is not changed, and possibly the developer would still have access to sensitive personal data entrusted to the company.

According to Cyber-Ark, 9 out of 10 disgruntled IT staff would steal confidential or proprietary data from their former employer. The article on Contractor UK further states that one third of leavers would take lists with 'super user' passwords, giving them access to all kinds of sensitive company and personal data. Only 12% would be honest and leave empty handed, leaving all company confidential data behind.

Companies are required to ensure that the personal data entrusted to them is adequately protected, so this is certainly an issue they need to address. Do take note that implementing high security measures to secure personal and sensitive data is not sufficient as grudging staff will find a way to bypass these security measures.

Category:

Tags Data Breach Personal Data Organisations IT

Archive

  • 2014
    • March 2014
  • 2013
    • October 2013
    • July 2013
    • May 2013
  • 2012
    • March 2012
    • February 2012
    • January 2012
  • 2011
    • December 2011
    • July 2011
    • June 2011
    • May 2011
    • April 2011
    • February 2011
  • 2010
    • December 2010
    • September 2010
    • June 2010
    • May 2010
    • April 2010
    • February 2010
  • 2009
    • October 2009
    • August 2009
    • June 2009
    • April 2009
  • 2008
    • November 2008
    • October 2008
    • August 2008
    • July 2008
    • June 2008
    • May 2008
    • April 2008
    • March 2008
    • February 2008
    • January 2008
  • 2007
    • December 2007
    • November 2007


Tags

  • Best Practices (11)
  • Business Incentive (1)
  • Data Breach (8)
  • Data Handling Manual (5)
  • Data Protection Officer (1)
  • EU (4)
  • FSA (1)
  • Government (13)
  • Human Rights (6)
  • Internet (21)
  • IT (21)
  • Organisations (40)
  • Personal Data (48)
  • Private Persons (30)
  • Spam (4)
 

Copyright © 2003-2025 Lee & White®. All rights reserved.

Legal Notice  -  Privacy Policy  -  Contact