Under UK law, all companies handling personal data are subject to the Data Protection Act (1998) (DPA) which are designed to ensure that data is stored safely and to prevent abuse of such information. Breaching the DPA can already result in prison sentences and hefty fines which are likely to be increased again this year to £500,000 making data security very important to businesses of all sizes. The Act is summed up in 8 principles and when considering small business IT systems, the key principle is number 7:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

The proliferation of IT systems within smaller companies means that quite often the data stored therein is easily open to abuse or breach of the guidelines. The 7th principle is one of the most important aspects of computer network design and should be one of the first issues addressed as new systems are implemented.

Similarly personal data must be protected from access by unauthorised users from outside the company. Such security is provided by network protection measures such as antivirus software and firewalls. Most commonly businesses tend to only consider this aspect of data protection, assuming that data theft or damage will come from outside their company.

Frequently we find that computer networks in smaller companies have grown organically, that is new parts are added as and when required with little consideration given to security or access permissions. According to the Data Protection Act (DPA), companies are responsible for restricting data access to staff who process that information; leaving personal data open to all staff leaves companies in breach of the DPA.

The final aspect of the 7th principle is the requirement for data to protected against loss. The implementation of a data backup routine is vital so that in the event of a catastrophic loss of data, not only can the company quickly get back up to speed, but they can also avoid prosecution for losing personal information. The format of this backup is not hugely important and can be as simple as taking a copy of the company's data offsite on a removable hard drive twice a week.

Junari have several years experience in data protection and network security issues and are eminently qualified to assist in helping businesses comply with the Data Protection Act. Junari's IT Audits address common data protection issues as well as providing advice on addressing them. If you require any further advice, please do not hesitate to contact us.

Further information regarding the Data Protection Act and your responsibilities under it can be found on the Information Commissioner's Office website.