How data security is like a car park. Sort of.
Last Friday I parked in my usual car park. I entered it past the signs informing me of the terms for parking there, and the penalties for breaching them. After parking I walked past the signs reminding me in big letters “HAVE YOU PAID AND DISPLAYED?”, and went in to work.
But when I returned later that day I had a ticket on my windscreen – a penalty charge notice – imposed for failing to display a ticket. I still don’t know how I managed to do this. Every other time I have parked, and bought a ticket, and placed it in the same place on the dashboard. But something went wrong this time.
Ever one to draw a clumsy analogy for the sake of a blog post, it got me thinking about data security. We all know how to avoid enforcement action by the Information Commissioner’s Officer (ICO): train your staff, have good policies and procedures and check regularly they’re being complied with. Then, if something goes wrong, the ICO will determine that there was nothing more as an organisation you could do to prevent the incident, and you are not in breach of the Data Protection Act. (Of course it’s a bit more complicated than that. But not much).
However watertight your policies are though, and however often and loudly you remind people about them, mistakes happen. As Einstein is reported to have said “Two things are infinite: the universe and human stupidity; and I’m not sure about the universe.” All you can do is mitigate the risks, and mitigate them sufficiently to satisfy those who regulate you. Thus, the ICO will (should) not impose a Monetary Penalty Notice if you had taken all the data security precautions you reasonably could have taken but one person made a stupid mistake leading to a data breach.
And, because the car park has clear and fair terms and conditions, I won’t challenge the lawfulness of imposing a penalty charge notice just because one stupid individual failed to check that his stupid car had a stupid $%*&ing ticket on the stupid dashboard last Friday morning.