Data Protection and ISO 9001
Perhaps in reaction to embarrassing and damaging 'laptop left on train' incidents, and the like, modern versions of the ISO 9001 standard include personal data within the context of ‘customer property’ (clause 7.5.4). Organisations are required to exercise care with customer property whilst it's under the organisation’s control, or being used by it.
The Information Commissioners Office (ICO) urges businesses to review their policies for handling personal data. You may recall a famous, historical case where it issued an eye-watering £150,000 fine to the Nursing and Midwifery Council for a breach of the Data Protection Act. It is understood that the fine related to the loss of 3 DVDs containing data from a misconduct hearing including confidential, personal information. The data contained on the DVDs had also been stored in an unencrypted format meaning it was accessible to all.
At the time, David Smith, Deputy Commissioner and Director of Data Protection, stated: “It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again.
“While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.”
As auditors, we need to assure ourselves that organisations have robust procedures in place to ensure that this type of data is identified, handled in line with statutory and standard requirements, that staff involved fully understand those requirements, and that they're able to deliver against them.