Data protection act and responsibilities

My missus is a part-time self-employed book keeper for three small businesses (a farm shop, and electrician and a plastering company in case it matters)

She is a member of the AAT (Association of Accounting Technicians) and, as part of its membership renewal, it now stipulates that you must register with the ICO under the Data Protection Act.

So she's done that, and paid the £35 fee, but has now got herself into a flap about the DPA requirement that information is "kept securely"

At the moment the 'data' (VAT return info and ledgers etc) is on a Windows laptop. It's got AVG antivirus installed, and the firewall on my router is switched on. Id that enough security? She's worried that if someone hacks her machine, or breaks in a steals it, she will be liable under the DPA.

3 separate password protected and encrypted usb memory sticks (ie one for each client)well labled is how id deal with it, but read the guidance document.


https://ico.org.uk/for-organisations/guide-to-data...

I did read the Guidance Document for Small Businesses, and got a bit lost in it TBH. It suggested assigning the Director of Resources to be responsible for security, but unless I can persuade the cat to become said director, we haven't got one.

There is some useful advice, but also a lot of stuff like "computer security needs to be appropriate" and "measures you take must be appropriate" which don't really tell you anything much at all.