There are many theories about the identity of Charlotte Fakes and even more about where she obtained her information. I am not aware of anyone suggesting that anything Charlotte has revealed has been anything other than genuine – if the suggestion was that it was faked then I am sure this would have been trumpeted from the rooftops.
Bizarrely a lot of the coverage (especially on blogs and message boards) has been about the “clear” breaches of the Data Protection Act which Charlotte must be guilty of (at least according to those very same commenters).
As I wrote last week, the DPA is not this mighty raft of legislation capable of crushing all in its path. Instead it is a horribly convoluted piece of law-making which needs a packet of headache tablets and a darkened room to understand properly.
One thing though which is very clear (at least in principle) is the duty imposed on a “data controller” to take action when they experience a security breach.
This is expanded upon in the helpful guide to the operation of the Act provided by the Information Commissioner’s Office.
If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important that you deal with the security breach effectively. The breach may arise from a theft, a deliberate attack on your systems, from the unauthorised use of personal data by a member of staff, or from accidental loss or equipment failure. However the breach occurs, you must respond to and manage the incident appropriately. Having a policy on dealing with information security breaches is another example of an organisational security measure you may have to take to comply with the seventh data protection principle.
There are four important elements to any breach-management plan.
1. Containment and recovery – the response to the incident should include a recovery plan and, where necessary, procedures for damage limitation.
2. Assessing the risks – you should assess any risks associated with the breach, as these are likely to affect what you do once the breach has been contained. In particular, you should assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to happen.
3. Notification of breaches – informing people about an information security breach can be an important part of managing the incident, but it is not an end in itself. You should be clear about who needs to be notified and why. You should, for example, consider notifying the individuals concerned; the ICO; other regulatory bodies; other third parties such as the police and the banks; or the media.
4. Evaluation and response – it is important that you investigate the causes of the breach and also evaluate the effectiveness of your response to it. If necessary, you should then update your policies and procedures accordingly.
- the circumstances in which we expect organisations to notify us of security breaches;
- the information we need in those circumstances; and
- what organisations can expect us to do after notifying us.
After the lurid and Mission Impossible-esque tales of hacked emails, stolen servers and interception of secure communications, coupled with allegations of “Deep Throats” in and around Ibrox, I have some simple questions for Rangers. (I do not expect them to answer me, but perhaps concerned shareholders can ask at the AGM).
After a quick check of the Data Protection Register, I see that it is The Rangers Football Club Limited which is the data controller – not the PLC. However, as the PLC owns 100% of the subsidiary then presumably some questions about it would be in order.
My questions are:-
- What, if anything, have Rangers done to contain the apparent loss of its data?
- What risks have Rangers identified to it, or to its employees or contractors, from the alleged breach?
- Whom did Rangers notify about the breach? Did they tell the Information Commissioner? Did they tell people who might have been affected by the breach? Did they tell anyone?
- Have they evaluated the cause of the breach and learned lessons from it?
I am sure that, as an organisation fully compliant with its legal duties, Rangers Football Club Limited gas done all it ought to have done.
After all, if it had not then that might mean that they do not recognise their responsibilities (which is highly unlikely) or that the “leaks” and “breaches” do not come from Rangers or are not ones it sees as necessary to report.
We will just have to wait to see what, if anything, Rangers Football Club Limited have done about these “serious breaches” as Jack Irvine called them.
Posted by Paul McConville