Data Protection Act and passwords?

Question

We recently had an IT system installed for document control. This has the usual username/password control. But what freaked me out was seeing that the passwords are not only stored in clear text in the database, but they're also shown to the admin girls! I've had to change passwords on other systems now, to ensure the integrity of those systems.

The supplier contends that we did not specify password encryption. But I'm sure there's something in the DPA which says that information should be kept secure, so therefore he should be doing it simply to comply with the law. Please tell me where, what clauses etc apply if this is the case.

Thanks

Thanks for the 3 answers thus far. I'd like to comment on the 3rd one as that has pointed out an important point: this document control system contains documents that are confidential - only certain people are allowed to see those documents. If, as admin, I can see the passwords, then I have access to those documents.... payroll, bonuses, health records... scary.

Answer 1

To my knowledge the only law that applies to data requiring encryption and passwords implicitly is the Health and Insurance Privacy and Accountability Act (HIPAA), at least in the United States. But the DPA is a British law, so you must be in the UK.

Anyway... the Data Protection Act of 1998 requires that personal data being collected be done so only for a specific purpose and not given out to any third party without the subject's consent, similar to what HIPAA requires in the United States but going broader than health care.

The lack of encryption on passwords in the system does not appear to be applicable to the DPA as passwords are not really considered personal information because a password itself cannot be used to identify someone. Now if these passwords were to protect personal information, then the DPA may apply, but your corporate attorney would be the best person to answer that question.

Basically, whether the DPA applies comes down to whether the usernames and passwords are protecting documents that contain personally identify information. If they do, the DPA may apply.

My advice: present the question to one of your supervisors or managers. They may know who you should speak to, or may pass the information off themselves.

Answer 2

Well, there's no law saying if you write insecure code, you should be in trouble. Heck, for that reason Microsoft should be punished severely.

Rather, the document control system was poorly designed. Sure, you didn't specify password encyption, but you have to be a brain dead programmer to store the password itself. (Hint: Store a hash).

So go back to the supplier, and tell them that password encryption is not your responsibility. It is instead their responsibility to provide proper encryption for transmission and a proper algorithm to avoid storing plaintext passwords.

The admins should not be able to despite looking in the database, figure out the actual password.

Answer 3

Go to www.opsi.gov.uk/ and Click on to Public Acts 1996-2006 and then Click on to Public Acts 1998. Then Click on to Data Protection Act 1998. Go to Part 1 Preliminary, Sensitive Personal Data Also go to Parts 2 and 3 The Data Controller is the person who supplies information about a person or group of people to another person,party or organisation. Excluding National Security personal transfer of data must be done with the knowledge and consent of the person concerned.When you go to the above site you can print the entire act in HTML. This is preferable as you can study it at your leisure.

Answer 4

The passwords should be encrypted, but that's not the responsibility of your supplier, (unless you specified it in your request). It's your responsibility to ensure the integrity and security of any information contained in your systems.