Home / Privacy News / Security expert reveals personal data risks
Create your free RINF account:

Create your free RINF account:

- New RINF digimag

- Daily news updates to your inbox

- Exclusive members only forum

Digimag features lost interview with Brian Haw, examines political corruption, health myths exposed & more. 

Please check your email to confirm your account!

Security expert reveals personal data risks

This is Gloucestershire |

THE recent story by the BBC concerning the security measures taken on Tesco’s website and the subsequent investigation by the UK’s independent authority on data protection, the Information Commissioner’s Office (ICO), illustrates the importance to businesses of data protection and in ensuring that website security measures are current.

For those not familiar with the story, data security specialists were critical of how Tesco stored passwords of shoppers who used Tesco’s shopping website. Some specialists argued that there should be cryptographic storage of individuals’ login credentials (which is basically a form of encryption) and that HTTPS (being “Hypertext Transfer Protocol Secure”) should be used across the entire website.

The Data Protection Act provides that organisations must take appropriate measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage to personal data. Further, in relation to the security requirements for websites collecting personal data, the appropriate level of security depends largely on the type of personal data being collected and the potential damage that may result should there be any unauthorised or unlawful processing, or accidental loss, destruction or damage to this personal data.

Clearly these principles are general, and the lack of detail causes problems for organisations when they are attempting to identify the security measures they should be taking. This is especially the case in relation to website security, which is a constantly evolving and complex area. This may be part of the problem Tesco faced when developing and maintaining its website security procedures. However, guidance from the ICO has made it clear that, if the personal data in question poses any risk to individuals should it be wrongly disclosed or lost, the initial collection and storage should only occur pursuant to a secure, encryption based system and be held on a server also secured by encryption.

We must remember that there has been no security breach of Tesco’s systems and that determining the appropriate level of website security is not straightforward. However, this story shows that all organisations collecting personal data online, not just those the size of Tesco, should frequently review their website security measures to ensure the technical measures comply with good industry practice and are commensurate with the personal data being collected.

Matt Johnston is a Senior Associate in the Commercial Department at Harrison Clark, heading up the Cheltenham team. Matt specialises in data protection, technology and e-commerce. Tel: 01242 216177

Create your free RINF account:

Create your free RINF account:

- New RINF digimag

- Daily news updates to your inbox

- Exclusive members only forum

Digimag features lost interview with Brian Haw, examines political corruption, health myths exposed & more. 

Please check your email to confirm your account!

Become a member for free

- Daily news direct to your inbox

- Free edition of the RINF digimag

- Exclusive forum access

& much more

Please check your email