IT business development is one of the most rapidly evolving organisations. Data is an integral part of every business, and every business transaction, e-mail, online message is traceable through that of IT data. Data protection measures are there to reduce the likelihood of the abuse of personal data. Without such data protection, individuals would not be required to provide measures to prevent identity theft or other acts of cybercrime. Every business needs well-managed IT. Executives, directors and security managers are at liberty to understand the importance of their IT investment. Data protection refers to a form of individual privacy, of which can be defined.
“Privacy refers to the rights of individuals and organizations to determine for themselves when, how, and to what extent information about them is to be transmitted to others” (Grandinetti, 1996, cited in Udo 2001, p.165)
With each IT development comes an associated IT risk. Not only is the organisation at risk but there is the possibility that individual employees of the organisation are also the target of a posed security risk. It is therefore paramount that security managers are aware of the steps they need to take to protect such data. The stringency of the Data Protection Act appears to obstruct the work of the security manager, of which a variety of contributing factors shall be discussed in this essay.
To explore data protection legislation and its role in the ease of the security manager’s job, a particular level of research is required. It should be noted at this point that research into the implementation of the Data Protection Act is restricted namely ‘to improve the health and well-being of the population and to secure high quality care’ (The Department of Health, cited in (Strobl et al. 2000, p.890). Although this reference links directly to issues of data protection within the health sector, it of course dually applies to any investigation into data protection.
The importance of data protection is of great significance;
“Privacy of individual’s data must be considered both internally and externally. Laws protecting corporations and individuals need to be understood to keep a company from being liable for infringements of unprotected data. Companies and internet providers who are not up-to-date on the laws will find themselves facing litigation in various forms.” (R. H. Rutherfoord & J. K. Rutherfoord 2010, p.1)
Organisations will find it nigh on impossible to ignore legislation in place to protect data. Interestingly, in the period from 1979 to 1982, Labour and Conservative governments objected to additional involvement in data protection. Eventually, it was EU legislation that required the UK to enter into data protection and in 1984 the Data Protection Act was rolled out. It is suggested that until this time the UK was at the bottom end of the scale when it came to devising data protection systems (Warren & Dearnley 2005, p.238).UK legislation includes numerous data protection measures including (but not exclusively); Designs and Patents Act 1998, the Regulation of Investigatory Powers Act 2000; the Freedom of Information Act 2000, the Companies Act 2006 and Regulation of Investigatory Powers Act 2000 (Calder & Watkins 2008, p.21) . The Data Protection Act 1998 is one of the most prolific data legislations that has come into force (besides the Freedom of Information Act, of 2005). The Data Protection Act requires organisations amongst the private sectors and furthermore the public sectors to implement data security measures which aid in avoiding unlawful processing of the data held within its IT systems. The Data Protection Act also applies guidelines to try to reduce the likelihood of data being lost or stolen (Calder & Watkins 2008, p.21). Hands-on data storage such as CD-ROMs or videotapes are also covered by such legislation. The UK information commissioner has stated that for an organisation to satisfy the requirements of the Data Protection Act they must ensure compliance to ISO 27001. The Data Protection Act however can never be a fully comprehensive guide to all organisations as possible circumstances would be exhaustive. The British Standards Institute (BSI) has provided information assurances which allow organisations to tailor make security measures for their own needs (Information Commissioner’s Office, 2005). The Data Protection Good Practice Note (Ibid), requires that organisations evaluate the sensitivity of their data, that clear guidelines are set as to who takes primary responsibility. It further provides the measures that an organisation will need to take to protect data, and that an analysis of organisational incidents be provided with clear information on which individuals in the organisation have access to personal data. Stringent regulations are also providedon the protection of physical data and premium computer security (Ibid, 2005, p.1-5). European legislation on data protection has seen many developments since 1995. In 1995 legislation required protection of individuals with regard to the processing of personal data. In 1997 this was increased to the telecommunications sector, and in 2000 into the electronic sector. In 2002 legislation moved into electronic communications and services, to universal service user’s rights and also privacy and electronic communications (Massacci et al. 2005, p.3). Interestingly, available data does not show legislation that directly relates to the current standing of IT capabilities. With the overwhelming development of online communities in the past five years, it is surprised to see that legislation has not been amended to mirror such development.
The security manager has a challenging role and is there to provide information for all parts of the organisation. His specialities require him to advise IT departments, line managers, to allow the security systems to adapt to the changing organisation, provide defence mechanisms and to provide manuals and information for employees to comply with and facilitate data protection (Albrechtsen & Hovden 2009, p.6). His role may also require him to be in charge of the facilitation of employment security, management of risk assessment, crime management, in-house white-collar crime, to facilitate protection of import and export alongside providing physical security for the organisation. The successful security manager must be aware of the importance of data protection but must also integrate this with the overall protection of his organisation. Data collection has never been easier with the future advancing of Ubiquitous Computing and Sensor Networks which will further strengthen the divide between the online and off-line world. In essence this makes the challenge of data protection a significant task (Buchmann et al. 2008, p.1). The 1998 Data Protection Act (which became active on 1st March 2000) requires specific care and protection to be taken with both records on paper and that on computers. The rollout in 2000 saw the first implementation of an act that specifically protected data held on computer systems. The Data Protection Act is based on eight predominant principles, the first stating that ‘personal data shall be processed fairly and lawfully’, immediately giving rise to debates in terms of the definitions relating to ‘fairly’ and ‘lawfully’. This may of course be open to interpretation (Strobl et al. 2000, p.891).
Risks to the security manager include the ever-increasing popularity of social networks. Social networks allow vast array of data to be made visual and available to thousands of individuals. This is alongside the need for service providers to allow access to the Internet for internal intranets to work. Here there is a clear issue for the security manager. Data protection would require that information regarding security aspects of the organisation is to be kept privatised within such organisation. With many employees having current and constant access to online social networks, data protection becomes paramount.
Of course, security managers can restrict usage of online social networks on organisational machines however with the vast array of available mediums for accessing social networks, the security manager’s job becomes compromised. As cited by Buchmann et al. (2008, p.3), a recent survey of the IEEE Spectrum noted that 60% of 700 scientists expect that within the next 10 years intelligent and interconnected devices will perform individual related services. Many of these services have individual security restrictions, which advises user to allow access to data before continuing. With social networks such as Facebook, individuals often have to allow their data to be accessed by third parties for them to continue utilising online facilities. With individuals being required to allow access to their own personal information, it becomes a tiresome task for the security manager to protect information about organisational structures without requiring all individual members of the organisation to sign data security documents; asking all members of an organisation not to discuss work-related matters on their online platforms is of course harder than first assumed. It is not however, purely the usage of social nets working sites that cause concern the security manager. Data protection is paramount as employees are likely to access many different websites during work hours and in turn can have detrimental consequences for the organisation due to inadvertent breach of security protocol (Bradshaw, 2008, p.8).
An area of serious concern is that of health data. This relates to personal medical records, treatment information and mental health data. In 1998, the NHS produced an information strategy and this included the development of electronic patient records (Adams et al. 2004, p.871). This was to provide linkage system for health practitioners to facilitate medical care for patients. The Data Protection Act states that medical records containing identifiable data are allowed to be stored on computerised records providing that the record is clearly defined, that the data is secure, that it is accurate and that overall it is confidential (Ibid, 2004, p.872). This data may not be used for any other purpose if it is identifiable without the patient’s consent unless exemption has been made under section 60 of the health and social care act 2001 (Ibid, 2004, p.872). This is where the job of the security manager becomes difficult. His primary concern is to protect the data of the patients in his health sector organisation. This of course will require an exhaustive security implementation that covers a vast array of employees working in healthcare. One of the more difficult aspects of this data protection is that data held on a computer system regarding patient has to be accurate. If data held on the system is found to be inaccurate, this can of course have serious consequences on the health of an individual. The security manager must not only protect data from outside access, he must ensure that documentation is provided to all members of the organisation in regards to the accuracy of medical data. Of course the number of individuals who work in the health sector is vast, their backgrounds a variety and the commitments to the health sector idiosyncratic. Although documents can be provided which require members of the health sector to adhere to the principles and codes of the Data Protection Act, there is little more that can be done to ensure accuracy of data input.
In regards to the issue of confidentiality, the Data Protection Act requires adherence to a Common Law Duty of Confidentiality. This applies directly to information that is entrusted to a professional in confidence. This duty of confidentiality is an independent act of the Data Protection Act. Major issues arise here for the security manager. There are legal conflicting views on what the common law duty of confidentiality refers to, especially as in some instances the law duty can be wavered (Strobl et al. 2000, p.891). A security manager therefore, has a duty of care to be able to provide confidence in his ability to protect the data of his patients. If members of his organisation are able to wave confidentiality (essentially making decisions about individual patients based on merit), he is unable to enforce regulations across the sector. This is an area that is going to cause particular concern for the security manager; for if confidential data is leaked, there is likely to be debates as to where the responsibility lay.
The security manager protecting the online data in the health sector need also be aware of the number of non-health sector individuals constantly entering into particular health sector premises. Issues relating to the anonymity of patient data, patient record accessibility and consent are issues that need their own specific research strategies for worthy evaluation to be made (Strobl et al. 2000, p.891). Such research is beyond the scope of this paper. This will also be true of any other organisation which has a continual flow of import and export routes. It places further emphasis on the need for security manager to make sure that the physical aspects of security are suitable to the organisation.
Further research has also shown that security protocol appears to have difficulties when trying to keep up to the development and the advancing technology in place. With technology changing on a daily basis, it has been suggested that the laws regulating and protecting users of technology is unable to match the progression (Zimmerman 2001, p.439). The security manager is now not only required to meet regulations set by the Data Protection Act, they are in an ever-changing struggle with aspects of technology which are advancing far beyond their capabilities. Voice recognition Trojans and computerised banking has not only presented the confidence matter of data protection to the security manager, but has created a vast array of opportunities for cyber criminals to remove information about individuals without their knowledge or consent. In the majority of cases the security manager is not in a realistic position to prevent it. Data protection legislation in this instance cannot be seen to making the job of the security manager more difficult, but that of the advancements in technology. This in turn requires the Data Protection Act to make advancements in legislation to suit that of the current online enterprise.
Researchers noted that privacy laws are imposing demands upon security managers that have not been empirically researched. Due to this lack of research, Data Protection Act regulations often require service managers to dynamically adapt to individual service users needs which in reality is an impossible task (Kobsa 2001, p.301). Of course, being able to identify individuals on specific data is beneficial to company development. For example, personal data stored by Facebook about its users provide them with details about their current demographic status. This allows Facebook to tailor their advertising to individuals and use their pages to display such tailored advertising. This of course then results in more revenue being generated through successful advertisement. More importantly ‘Current adaptation to the user is still relatively simple’ (Ibid, 2001, p.301). However, the security of the deployment of personalised systems creates further problems with security manager. The research of Kobsa (2001) shows that the acceptance of such personalised systems can be seen as an impediment to the user. Although recommendations have been given to allow security managers to better manage the security of personalised systems, much of the requirements to allow fulfilment of such security measures need further research, including natural language generation and dynamic configuration management during runtime. It was not a surprise that the findings stated that there was not a single solution for all of the privacy issues in existence and that each security measure needs to be tailored to the user. In terms of the difficulties this suggests for security manager and his ability to protective his system and users, it appears to be a minefield of complications. To meet the Data Protection Act regulations, it appears that a security manager would need to tailor each individual with a specific privacy program. This is of course, unachievable. Data protection legislation appears to be without its flexibility. However, the Lindop report on data protection in 1978 recommended that a flexible legislation environment was provided to developing commerce (Warren & Dearnley 2005, p.238). This was in follow-up to the Younger Report on Privacy (1972) which had provided 10 recommendations for data protection in Europe. At the time these were deemed to be far reaching.
The most recent advancement in computing, and one that poses a security issue to the security manager, is that of cloud computing. Utilising on demand services allows cloud computing to provide flexibility on the simple pay per use basis. Cloud computing refers to an inability for individual users to store data on a virtual cloud; an ever portable hard drive accessible from any PC with Internet access. Major concerns however have been raised by the small to medium enterprises in regards to security, because as privacy measures currently stand, there is little legislation or law on aspects of security and privacy in virtual environments (Doelitzscher et al. 2010, p.1). With the number of individuals utilising Cloud computing and possibly accessing their cloud from thier work environment, comes an ever increasing security risk. With a little legislation in regards to the protocols that security managers must follow to protect their businesses, many organisations will have too utalise the expertise of individual security managers to provide the best protection they can. Doelitzscher et al. (Ibid) have suggested that cloud providers are at risk of security breaches in regards to where they store their client’s data, how they protect it and how they isolated it from other users. Further suggestions have also been raised in regards to the protection of individuals data when there is suspected illegal activity committed. The security manager is not only at a disadvantage due to the lack of legislation; he is at a disadvantage as if he is to follow the Data Protection Act then his resources are to be stretched to the maximum. With cloud computing the security manager may be storing client’s data onto machines that they do not use, own or operate. With such a lack of control not only are security issues increased, but the ability of the security manager to keep control and protection over the data also becomes compromised (Pearson 2009, p.1). As current legislation does not cover cloud computing, it is questionable as to who the responsibility can be placed upon. For if there is no protocol in listed by the Data Protection Act, any security breaches cannot be held accountable for.
The overall findings from this examination into whether the Data Protection Act legislation has facilitated or obstructed the working abilities of the security manager appears to have fallen in favour of obstruction. Although legislation is clearly there to protect service users, the speed and haste of the development of the Internet is creating a mismatched between the actual ability of the security manager and the abilities required to be able to facilitate security measures within our modern day computer architecture. The recent introduction of cloud computing has also brought with it a whole new domain of security measures which need to be addressed. However, legislation has not put into place a required protocol to ensure that minimum security standards are being met. With this advancement of technology is likely to come an advancement in ability to hack and retrieve personal data. For this to be addressed there needs to be a full-scale research project into the security measures needed for modern-day computing. As this paper has shown, there appears to be a lack of substantial evidence and research into data protection. Of the research that has been carried out, it would appear that security managers are not following (through ability rather than need) the Data Protection Act legislation. It should therefore, be at the forefront of government officials responsible for the Data Protection Act to find out exactly why.
Adams, T. et al., 2004. Lessons from the central Hampshire electronic health record pilot project: issues of data protection and consent. BMJ, 328(7444), pp.871 -874.
Albrechtsen, E. & Hovden, J., 2009. The information security digital divide between information security managers and users. Computers & Security, 28(6), pp.476-490.
Bradshaw, M. 2008. Monitoring Employee Internet Use. Society For Computers And Law, 19(1), pp.8-10.
Buchmann, E., Böhm, K. & Raabe, O., 2008. Privacy2.0: Towards Collaborative Data-Privacy Protection. In Y. Karabulut et al., eds. Trust Management II. Boston, MA: Springer US, pp. 247-262. Available at: http://www.springerlink.com/content/8763312627346048/ [Accessed October 29, 2011].
Burghardt, T. et al., 2010. A Study on the Lack of Enforcement of Data Protection Acts. In A. B. Sideridis & C. Z. Patrikakis, eds. Next Generation Society. Technological and Legal Issues. Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 3-12. Available at: http://www.springerlink.com/content/k2414426g0m11p26/ [Accessed October 29, 2011].
Calder, A. & Watkins, S., 2008. IT governance: a manager’s guide to data security and ISO 27001/ISO 27002, Kogan Page Publishers.
Doelitzscher, F., Reich, C. & Sulistio, A., 2010. Designing Cloud Services Adhering to Government Privacy Laws. In Computer and Information Technology, International Conference on. Los Alamitos, CA, USA: IEEE Computer Society, pp. 930-935.
Information Commissioner’s Office. 2005. Data Protection Good Practice Note. Rode of Federal Regulations.
Kobsa, A., 2001. Tailoring Privacy to Users’ Needs 1. In M. Bauer, P. J. Gmytrasiewicz, & J. Vassileva, eds. User Modeling 2001. Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 301-313. Available at: http://www.springerlink.com/content/g104588lu74l3798/ [Accessed October 29, 2011].
Massacci, F., Prest, M. & Zannone, N., 2005. Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation. Computer Standards & Interfaces, 27(5), pp.445-455.
Pearson, S., 2009. Taking account of privacy when designing cloud computing services. In Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing. CLOUD ’09. Washington, DC, USA: IEEE Computer Society, pp. 44–52. Available at: http://dx.doi.org/10.1109/CLOUD.2009.5071532 [Accessed October 29, 2011].
Rutherfoord, R.H. & Rutherfoord, J.K., 2010. Privacy and ethical concerns in internet security. In Proceedings of the 2010 ACM conference on Information technology education. SIGITE ’10. New York, NY, USA: ACM, pp. 131–134. Available at: http://doi.acm.org/10.1145/1867651.1867686 [Accessed October 29, 2011].
Strobl, J., Cave, E. & Walley, T., 2000. Data protection legislation: interpretation and barriers to research. BMJ: British Medical Journal, 321(7265), pp.890-892.
Udo, G.J., 2001. Privacy and security concerns as major barriers for e-commerce: a survey study. Information Management & Computer Security, 9(4), pp.165-174.
Warren, A. & Dearnley, J., 2005. Data protection legislation in the United Kingdom. Information, Communication and Society, 8(2), pp.238-263.
Zimmerman, R.K., 2001. Way the Cookies Crumble: Internet Privacy and Data Protection in the Twenty-First Century, The. New York University Journal of Legislation and Public Policy, 4, p.439.