Information Security and Data Protection for Financial Services - August 2014

Published 8 August 2014

Prior to this year, the fifth data protection principle (personal data must not be kept longer than is necessary) which is sandwiched in the middle of the more high profile and enforced principles of fairness, security and extra EEA transfers of personal data, has been a predominantly forgotten (pun intended) obligation hidden in our data protection law. Although I have seen a trend in the last few years to companies implementing data retention policies and schedules, in reality they are in place to pay lip service to this obligation but in practice are not enforced.

However in the last few months, most notably as Google struggle with its tens of thousands of requests "to be forgotten", the public are becoming more aware of the restrictions on a companies right to hold personal data for indefinite periods of time. The European Court of Justice ruled this year that the EU's Data Retention Directive (2006/24/EC), which obliged telecom companies and ISPs to hold certain personal data for periods of between six months and two years for law enforcement purposes, was invalid as it disproportionately infringed an individuals' privacy rights.

This month we have seen the UK trying to force through emergency legislation obliging such companies to hold onto the data for 12 months for the purposes of access by law enforcement agencies, disregarding the ECJ opinion. Civil rights campaigners Liberty have announced they will be seeking a judicial review of the legislation on behalf of two MPs.

Then at the end of July, after a bit of a lacuna in ICO monetary penalties, the ICO have announced they are fining Think W3 £150,000 for a serious breach of the DPA as their company website failed to use secure coding, leaving the site vulnerable to cyber-attack resulting in the extraction of 1,163,996 credit and debit card records by a malicious hacker. In its notice the ICO makes a passing comment that "Cardholder data had not been deleted from the server since 2006". The ICO does not go as far as proclaiming that Think W3 breached the 5th principle, and ends up resting on the predictable and well trodden conclusion that they have breached the seventh principle (security). However, one cannot help but predict that the first fine for a breach of principle 5 is not too far away.

In any event the less data a company has the less it has to be the subject of a security breach, so now is the time to dust off, review and start implementing those data retention policies.