News and information from the world of
regulatory compliance and risk management

Information security survey finds that most COLPs are not taking responsibility for data security
9 November 2012

A survey carried out by our partners Oyez and the IAAITC on information security has revealed that the majority of compliance officers are not taking responsibility for data security despite the SRA Handbook requirements.

A third of firms unaware that SRA Handbook requires compliance with the Data Protection Act 1998 whenever handling personal data.

Half of all firms are not aware of the requirements regarding encryption of sensitive personal data and the consequences of not getting it right (monetary fines and damage to reputation).

92% of firms when outsourcing activities such as their IT provision, data shredding or typing do not put in measures to protect clients’ personal data.

The DPA has eight principles with which you and your staff must understand and comply. Lapses in the protection of personal data, when they occur, can be more and more costly not just in terms of monetary loss but also in terms of reputational damage for your firm.

While COLPs may be held responsible for information security breaches, ?Ultimately under both the SRA code of conduct and the Data Protection Act, the responsibility rests with the partners/owners of the firm regardless of where the day-to-day responsibility is delegated.?

Although 84% of firms had information security policies, fewer than a third had ?basic policies covering the sending and receiving of personal data via secure e-mails, or saving and retrieving files securely from a laptop, for example?.

Whilst firms recognise [the problem] and acknowledge the potential financial, regulatory and reputational impact a breach in information security could have on the firm, there is a lack of the necessary appropriate actions to achieve the legal and regulatory requirements to protect the integrity of personal data. Formulation of polices in an ad hoc way rather than through the implementation of any rigorous methodology, and the lack of regular evidence-based training would be suggestive of a profession not yet coming to terms with what it really means to be fully compliant with the legal and professional regulation.

To view the survey, please click here.

read more articles