Home / Privacy News / Security expert reveals personal data risks

Security expert reveals personal data risks

This is Gloucestershire |

THE recent story by the BBC concerning the security measures taken on Tesco’s website and the subsequent investigation by the UK’s independent authority on data protection, the Information Commissioner’s Office (ICO), illustrates the importance to businesses of data protection and in ensuring that website security measures are current.

For those not familiar with the story, data security specialists were critical of how Tesco stored passwords of shoppers who used Tesco’s shopping website. Some specialists argued that there should be cryptographic storage of individuals’ login credentials (which is basically a form of encryption) and that HTTPS (being “Hypertext Transfer Protocol Secure”) should be used across the entire website.

The Data Protection Act provides that organisations must take appropriate measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage to personal data. Further, in relation to the security requirements for websites collecting personal data, the appropriate level of security depends largely on the type of personal data being collected and the potential damage that may result should there be any unauthorised or unlawful processing, or accidental loss, destruction or damage to this personal data.

Clearly these principles are general, and the lack of detail causes problems for organisations when they are attempting to identify the security measures they should be taking. This is especially the case in relation to website security, which is a constantly evolving and complex area. This may be part of the problem Tesco faced when developing and maintaining its website security procedures. However, guidance from the ICO has made it clear that, if the personal data in question poses any risk to individuals should it be wrongly disclosed or lost, the initial collection and storage should only occur pursuant to a secure, encryption based system and be held on a server also secured by encryption.

We must remember that there has been no security breach of Tesco’s systems and that determining the appropriate level of website security is not straightforward. However, this story shows that all organisations collecting personal data online, not just those the size of Tesco, should frequently review their website security measures to ensure the technical measures comply with good industry practice and are commensurate with the personal data being collected.

Matt Johnston is a Senior Associate in the Commercial Department at Harrison Clark, heading up the Cheltenham team. Matt specialises in data protection, technology and e-commerce. Tel: 01242 216177


Check Also


Pressure mounts on PM Cameron to reverse his stance on refugees

The British government is under mounting pressure to do more to save the vulnerable people trying to flee Europe from conflict zones in the Middle East and some African countries. Lawmakers from across the party line, except anti-migrant UK Independence Party, called on Prime Minister, David Cameron to reverse his stance ...