Welcome to the SecAware blog

I spy with my beady eye ...

23 Jun 2007

Data Protection Act requires personal user IDs

DISCLAIMER: I am not a lawyer. This blog piece is based on incomplete information and hence speculation on various assumptions that may or may not be true. Still, it's an interesting case ...

The UK's Information Commissioner (IC) has released details of an undertaking affecting British mobile phone company, Orange (Orange Personal Communications Services). The issue specifically concerns Orange's practice whereby existing employees share their userIDs and passwords with new employees, presumably before their own have been set up, in contravention of principle 7 of the Data Protection Act.

Principle 7, the security principle, reads as follows:
"7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

The seventh principle is interpreted further in Part II of the Act:
9. Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to -
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.

10. The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle -
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.

12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless -
(a) the processing is carried out under a contract -
(i) which is made or evidenced in writing, and
(ii) under which the data processor is to act only on instructions from the data controller, and
(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle."

Possibly the IC may have been unable to determine which of a number of people sharing an ID infringed the Data Protection Act in some way, perhaps a privacy incident? Equally, this action may have been taken to forestall such a situation in future.

It seems strange to me that the IC would be concerned about the internal operations of a data processor in this level of detail, especially given that neither the principle nor the explanatory notes explicitly ban the sharing of user IDs.

Sharing of user IDs is not uncommon in practice but is normally covered by a corporate policy stating that the legitimate owner of an ID must keep their ID and password private, and is personally accountable for whatever happens under their ID. In that way, even if someone shares their ID with someone else who creates a problem, the original person is held to account both for disclosing the password and for the incident that ensued. Perhaps Orange did not have such a policy in place, or perhaps it (in effect) forced employees to share their IDs with others? I can only guess. Anyway, Orange has undertaken to cease the practice and is probably busy slickening-up its security admin processes to get personal user IDs and passwords quickly to new employees.

In addition to that made by Orange, undertakings have been made by the following organizations: Littlewoods, Alliance and Leicester, Barclays Bank, Clydesdale Bank, Co-operative Bank plc, Dipesh Limited, HBOS plc, HFC Bank Limited, National Westminster Bank plc, Nationwide Building Society, Phones4U, Post Office Limited, Scarborough Building Society, The Royal Bank of Scotland plc and United National Bank Limited (and presumably others not currently listed on the IC's website).

[The preponderance of banks and financial services companies in this list arises largely from a mass enforcement action in March resulting from the disclosure of bank customers' personal details in the trash.]

No comments:

Post a Comment