Data security: getting started
- What security measures do we need to put in place?
- What do we need to do if we want to use CCTV?
- Why can’t the ICO endorse video call providers?
- What types of data need more protection?
- How do I know if personal data is high risk or sensitive?
- If we’re processing special category data, what do we need to do?
- What’s the best way to destroy documents?
- What does data protection say about information relating to criminal offences or convictions?
- Am I allowed to send data outside of the UK?
- Can we use facial recognition technology (FRT) for payment, entry or other security systems?
- Can we use blind carbon copy (BCC) to send emails to multiple people?
What security measures do we need to put in place?
It depends what type of personal data you’re holding and using, but we’ve written a basic guide covering some practical ways to keep your IT systems safe and secure, to help you get started.
Some security measures are common sense and are likely to be part of your usual procedures, even if you haven’t thought of them as data protection measures before – locking cabinets and ensuring the windows and doors of your workplace are secure, for example. It’s likely you have electronic security measures in place, too, such as strong passwords, firewalls, and anti-virus software.
Other measures might take a little more thought and planning, such as training your staff on how to spot suspicious emails and making sure you don’t hold on to data for longer than you need it.
Information about people that is particularly sensitive – such as health data - needs extra protection.
What do we need to do if we want to use CCTV?
Firstly, you need to make sure that CCTV is really the right option for your company. Why do you need it, and are there any other options you could explore that are less intrusive? Consider what people would expect. For example, CCTV in toilets or public changing areas isn’t likely to be acceptable.
If you decide you need to use CCTV, create a document about how it will be used, why you’re using it, and how long you will keep the recordings. You should also note down how you plan to keep the recordings secured, and the responsibilities of your staff in relation to CCTV. This could include limiting access to the CCTV to a few key members of staff.
You’ll need to put up signs so that people know they’re being recorded. The signs need to be clear and obvious, telling people that CCTV is in operation.
Your business will also need to be registered with the ICO.
Why can’t the ICO endorse video call providers?
As the UK’s data protection regulator, we’re independent. This means we can’t endorse a specific organisation, for video call services or anything else. We also can’t individually vet every new communications service that enters the market.
But what we can do is advise you on what to look out for when you’re choosing a video call provider. It's important that the services offered are secure and safe, so you should check the provider’s privacy and security settings carefully. Look to see if the provider gives clear and transparent details on the security features they have and how best to implement them. You should make sure your staff and any volunteers use the right security settings, and update software as soon as possible when there are updates available.
What types of data need more protection?
There are some types of personal data that are likely to be more sensitive known as special category data under the UK GDPR.
This includes personal data revealing or concerning:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- health;
- a person’s sex life; and
- a person’s sexual orientation.
If you’re processing any of these types of data, you should give particular consideration to how and why the data is used, and make sure you only use it when it’s absolutely necessary.
How do I know if personal data is high risk or sensitive?
You’re probably already familiar with the types of personal data that are generally considered high risk or sensitive based on how you feel about sharing it when it’s about you or someone in your care.
For example, many of us would be cautious about sharing information about our medical history, political opinions, or sexual orientation. But if asked for our email address, we’d probably be less concerned. It would depend on who is asking and what we think might happen to the data.
Data protection law takes this idea and makes some firm rules about the types of data that need more protection, which are known as the ‘special categories’ of personal data.
Outside of these special categories, knowing whether personal data is high risk or sensitive also partly depends on the risk of that data falling into the wrong hands, which your risk assessment - will help you to work out.
If we’re processing special category data, what do we need to do?
Data protection law applies to any personal data you have or use (unless you’re using the data for purely personal or household activities). Your basic data protection obligations include having a lawful basis for processing and appropriate security measures. But where special category data is concerned, even stronger rules apply. This is because the special categories refer to personal information that could cause significant harm, such as discrimination or physical danger, if it was misused.
If you’re processing special category data, you should give particular consideration to how and why the data is used, and make sure you only use it when it’s absolutely necessary. You should also take extra care to keep it safe. Generally speaking, the more sensitive the data, the more safeguards you need to have in place. For example, you might need to do a DPIA and think about how your activities affect people’s rights.
You also need to meet a further condition from the list below, in addition to your lawful basis for processing.
(a) You have the explicit consent of the person it relates to
(b) You’re processing the personal data for employment, social security and social protection purposes (if authorised by law)
(c) You need to process the personal data to protect the vital interests of the person. This can be in situations where someone’s life might depend on you using their data, like a medical emergency
(d) You’re a non-profit body, a charity or fundraising organisation
(e) The data has already been made public by the person it relates to
(f) You need to process the personal data because of a legal claim or a judicial act
(g) You need to process the personal data for reasons of substantial public interest (with a basis in law) such as if it’s something that’s really important for people to know about
(h) You’re processing the data for health or social care purposes (with a basis in law)
(i) You’re processing the data for public health reasons (with a basis in law)
(j) You’re processing the data for archiving, research and statistics (with a basis in law)
Some of these have further conditions attached that you also need to meet. If you’re unsure, please contact us and one of our advisors will help you.
What’s the best way to destroy documents?
Data protection law doesn't say exactly how you should destroy documents that you no longer need. But you need to make sure it’s done securely and in a way that means the information can't be recovered by anyone else.
For example, shredding documents instead of putting them into general waste makes it much more difficult for someone to see information they’re not authorised to see, either accidentally or deliberately.
We’ve produced a short guide on practical methods for destroying documents that are no longer needed which includes tips on how to destroy electronic files securely and has been written with small organisations in mind.
What does data protection say about information relating to criminal offences or convictions?
Data protection law gives extra protection to a wide range of personal data to do with criminal activity and proceedings, which we loosely refer to here as ‘criminal offence data’. This could be specific data about criminal convictions or allegations, but it could also be any personal data about criminal offences or other security concerns.
Occasionally, as a small organisation, you might process criminal offence data. For example, you could have CCTV footage of someone vandalising your premises that you want to pass to the police. Or if you keep details of DBS checks, you’d be handling criminal offence data, even if the checks came back clear and show no criminal convictions.
In data protection law, this type of data needs extra protection because misusing it could cause significant risks to people. For example, it could affect someone’s right to a fair trial, it could limit their freedom to conduct business, or it could negatively impact their private and family life.
However, unlike the rules around special category data which are there to make sure information that’s particularly high risk or sensitive is treated with special care, the rules around criminal offence data are a bit different. This is because the need to protect people from criminal activity means that using this type of information can be justified in a wider variety of circumstances, despite the potential impact on the person who it's about.
For example, Teresa has CCTV installed at her shop. She catches someone shoplifting and wants to pass the CCTV footage to the police as evidence. At this point in time, Teresa is holding and sharing information relating to a criminal offence. This means that Teresa not only needs a valid reason – or lawful basis – to hold and use this information (which she would have needed in the first place before she started using CCTV), but the criminal offence adds another element. Teresa needs what’s known as a ‘condition to process’ this type of information. In Teresa’s situation, she can collect and share this information with the police to prevent or detect unlawful acts.
If you’re processing information relating to criminal convictions and offences and aren’t sure how to do this in a compliant way, you can contact us for advice.
Am I allowed to send data outside of the UK?
If you’re sending data outside of the UK, you may need to take some extra steps to make sure the data is protected under the UK GDPR. If it’s recognised (through what’s known as an ‘adequacy decision’) that the country you’re sending the data to already has good rules to protect the data, you won’t need to do anything else. Otherwise, it’s likely you’ll need to put a contract in place with the organisation you’re sending the data to. These contracts are called standard contractual clauses (SCCs) and contain specific terms to make sure that the data is being used correctly when sent internationally. If this isn’t possible, you should look to see whether there are any exceptions which apply to your circumstances.
For example, Jenna is a UK physiotherapist who uses an online app to store her patients’ personal data. This platform uploads the data to a server based in Brazil. As Jenna is sending the data outside of the UK, she needs to make sure it will be protected. There is no adequacy decision to say that Brazil’s rules provide enough protection for the data, so Jenna will probably need to speak with the other organisation and put SCCs in place.
Can we use facial recognition technology (FRT) for payment, entry or other security systems?
This FAQ highlights some of the key issues you should be aware of before using facial recognition technology (FRT). You must give careful consideration before using this type of technology.
FRT and similar technologies may offer certain benefits, such as making it easier to access devices, take payments or allow entry to secure areas. But these technologies can intrude on people’s privacy, so you need to think carefully when deciding whether to implement them. Consider whether there’s a less intrusive method you can use to achieve the same outcome.
Before you use FRT, you must complete a data protection impact assessment (DPIA) to show why using this technology is justified and proportionate. You must also assess how you’ll reduce any associated risks, such as bias or discrimination. This is especially important where you’ll be using personal data relating to children or vulnerable people.
You must identify a lawful basis. Consider whether consent is appropriate. If it is, you’ll need to give people an alternative to FRT, such as using a swipe card to enter a building. Make sure the alternative option doesn't disadvantage anyone.
Remember, FRT is likely to use special category biometric data (facial imaging) so you’ll also need to identify and satisfy a special category condition.
Be transparent with people about your use of FRT. Have clear signs, written in simple language, that tell people what you’re doing and how they can exercise their information rights. You must also include this in your privacy notice.
Can we use blind carbon copy (BCC) to send emails to multiple people?
When you use the ‘BCC’ field to send an email, the recipients can’t see each other’s email addresses.
You can use this if the personal information you’re sharing isn’t sensitive and there’s little risk. But if your email may reveal sensitive information about the recipients, you should assess whether using other secure methods would be more appropriate. For example, bulk email services or mail merge services.
What do we mean by sensitive information?
Whether personal information is sensitive depends on the circumstances. You should consider what impact revealing it would have on people. For example, financial information or information that might be used to commit ID fraud would probably be classed as sensitive.
Disclosing email addresses can reveal people’s information and potentially cause significant harm. Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose confidential information about them. For example, sending information about the new opening hours of an HIV clinic would reveal the recipients are likely to use that service.
At the ICO, we’ve seen hundreds of personal data breach reports where a sender has forgotten to use the ‘BCC’ field – a simple case of human error.
To protect the personal information you hold, you must assess which appropriate measures to put in place. You could:
- set rules within your email system to provide alerts and warn email senders when they use the Carbon Copy (CC) field;
- set a delay, allowing time for errors to be corrected before the email is sent;
- turn off the auto-complete email function to prevent the system suggesting email addresses in the recipient’s box; and
- use the NCSC email security check tool.
You must have the appropriate technical and organisational security measures in place to protect personal information when sending bulk emails. Make sure your staff know how to handle personal information securely. You should train staff about sending bulk communications by email.
Your email service provider should provide further information on how to use mail merge. For example, Google and Microsoft provide support on how to use mail merge.