The recent disclosure of hundreds of thousands of classified and confidential diplomatic documents by the “whistle blowing” website Wikileaks has caused untold embarrassment for many of the world’s governments. What is more remarkable is that it is believed that all these documents came from a single source, a junior member of staff.
The Wikileaks fiasco, along with recent reports of civil servants misplacing government databases contained on storage devices, highlight the difficulties organisations face when dealing with large amounts of sensitive electronic data which can be destroyed, moved and copied by employees with ease.
Administration of data is this way can present commercial risks to employers, both large and small. However, with the right policies in place an employer can minimise the risks of employees losing, destroying or stealing electronic data.
A Data Security Policy can be put in place to regulate who has access to what data and how it is to be managed. The Policy can be effectively incorporated in to a company’s contracts of employment or office handbook, making its terms binding on employees. The policy should be tailored to the business’s needs and the needs of any clients who the company may be holding data for.
Typically a Data Security Policy would incorporate the following:
• Responsibilities – Allocating accountability for the security of electronic data to all employees. The employer may want to appoint a senior member of staff as a data security officer who has overall responsibility for the management of the system
• Data Confidentiality, Data Access & Disposal – Setting out what documents are confidential and who has access to them. There should also be in place measures dealing with the disposal of such information when it is no longer needed. The employer would also want to set out how any password or encryption systems are administrated and who has responsibility for maintaining these.
• Physical Security – Covering how data is physically stored and transported. For instance an employer may want to limit what sort of data can be taken off-site on removable storage devices (pen drives, mp3 players etc).
• Remote Access – Stipulating the rules for employees, like those working from home accessing company systems remotely.
• An employer may want to cross reference the policy in their disciplinary procedures to ensure so far as possible that certain gross breaches of the policy may be treated as circumstances for immediate dismissal. The key to drafting an effective Policy is proportionality, in order to find the right balance between protection and flexibility.
For more information contact John Lee on 0131 226 8216 or Iain McDougall on 0131 226 8219