How safe is your iPad?

The Data Protection Act (DPA) applies to the use and storage of personal data stored in electronic or organised paper filing systems by businesses and organisations. Personal data is any information from which a living individual can be identified - typically customers, clients and staff.

Any person or company that handles personal data is a data controller and is required to comply with the DPA.

The Information Commissioner “ICO” has powers to enforce the DPA which include requiring undertakings from data controllers and levying civil penalties of up to £500,000. A number of high profile cases (some with substantial fines) illustrate the ICO’s determination to enforce compliance. Recently Oliver Letwin was found in breach of the DPA by disposing of constituents’ letters in park bins. In another case a barrister lost an unencrypted laptop.

While organisations may ensure that the rules are followed in the office, with computers and data sticks encrypted, paper shredded onsite, many of the breaches that attract the ICO’s interest arise when data has left this secure environment such as fee earners working remotely and travelling with data.

Data controllers may also be responsible where data is outsourced to third parties. Unless the data controller is satisfied that both outsourced providers and/or employees adhere to the same rules outside the office, they may find themselves explaining why to the ICO.