Ethics and basic internal control - Data protection and secu...

Learning Outcomes

After reading this article, you will be able to explain why businesses have ethical and legal responsibilities regarding personal data, identify legal principles relevant to data protection, outline key internal controls for secure information handling, and describe good practice for storing, processing, and retaining accounting records. You should also be able to recognise common threats to data security and practical steps to reduce risk.

ACCA Recording Financial Transactions (FA1) Syllabus

For ACCA Recording Financial Transactions (FA1), you are required to understand how ethical and legal requirements affect the handling of financial records. In particular, you should be able to:

• Recognise why data protection is necessary for personal and business data
• Summarise legal requirements and good business practice for retaining documents
• Identify security measures for controlling access to accounting records
• List risks to data security and methods for reducing those risks
• Understand the importance of confidentiality in financial recordkeeping

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

1. Which principle of data protection requires businesses to keep only necessary and accurate personal data, and not for longer than needed?
2. What are two important controls a business can put in place to secure access to accounting records?
3. Which of the following is not a valid reason to share customers' personal details with a third party? a) The customer has given consent
   b) Required by a legal contract
   c) For marketing without notice or consent
   d) To comply with the law
4. Give one practical risk and one control related to the safe storage of accounting data.

Introduction

Every business is responsible for holding and using information about people—customers, suppliers, and employees. These details can include names, addresses, pay, and more sensitive data. Protecting this information is not just best practice, but often a legal obligation under data protection law. Inaccurate or mismanaged records create compliance problems and can lead to breaches, reputational damage, or financial penalties.

Understanding the ethical requirements for handling data, as well as specific controls to protect records, is essential for anyone involved in financial recordkeeping. This article explains key data protection ideas, the main controls to secure accounting data, document retention policies, and good practice for the safe handling of records.

Key Term: data protection
The legal and ethical responsibility to collect, use, store, and dispose of personal information fairly, securely, and only for legitimate business reasons.

Data Protection: Legal and Ethical Duties

Handling customer or employee information creates a duty of care. Businesses are expected to safeguard all personal information—whether kept on paper, on a computer, or in the cloud.

Common legal principles include:

• Only collect and keep information for valid business reasons.
• Process data fairly and with respect for people's privacy.
• Do not keep unnecessary or inaccurate information.
• Only use data for the stated purposes and not share it without proper consent or legal reason.
• Protect information from loss, unauthorised access, or misuse.
• Give individuals the right to see, and if needed, correct information stored about them.
• Dispose of personal data securely when it is no longer needed.

Key Term: personal data
Any information relating to an individual who can be identified from that data, such as name, address, or account details.

Document Retention and Secure Storage

A formal document retention policy helps ensure that records are kept for as long as required for business or legal purposes, and then destroyed securely.

Typical practices include:

• Keeping accounting records for a minimum of 3–6 years (depending on local law).
• Storing active documents securely, either in locked filing cabinets for paper files or with password protection and restricted access in digital systems.
• Limiting access only to those who need it for their work.
• Safe disposal: shredding paper records and wiping or physically destroying data storage devices.

Key Term: document retention policy
A set of rules a business uses to determine how long different records are kept and when and how they should be safely destroyed.

Controls over Access and Data Security

Strong internal controls are fundamental in preventing data breaches.

Key controls include:

• Passwords for all computer systems, changed regularly.
• User access levels: Only authorised staff can view or edit sensitive records.
• Physical security: Locked cupboards, safes for hard copies, and restricted access to server rooms.
• Use of backups—secure copies taken regularly and stored separately to prevent data loss from disasters.
• Training employees to understand risks, such as phishing emails or the dangers of leaving documents unattended.
• Segregation of duties: Different steps in recording, authorising, and reviewing transactions are handled by different staff.

Key Term: internal control
Procedures and safeguards established by a business to ensure financial records are accurate, reliable, and protected from error or misuse.

Key Term: confidentiality
The ethical and legal requirement to protect private or sensitive information from being accessed or disclosed to unauthorised persons.

Risks to Data Security and How to Manage Them

Typical risks to accounting records include:

• Accidental loss or physical damage (fire, floods, theft).
• Malicious attack (computer hacking, viruses, insider fraud).
• Human error (sending an email to the wrong address, leaving sensitive papers unattended).
• Deliberate misuse (sharing details with third parties for marketing without consent).

Controls to limit these risks:

• Regular staff training and clear policies.
• Up-to-date antivirus and firewall software.
• Immediate reporting and investigation of any suspected data loss or breach.
• Storing backup copies of key data in a different location.
• Not allowing sensitive data to be taken offsite unless properly encrypted.

Worked Example 1.1

Scenario: Manson Ltd stores customer payment details on an office computer. An employee leaves a company laptop containing this data on a train. What should the business have done to reduce risk? Which data protection principles are involved?

Answer:
The business should have encrypted the laptop, restricted the data accessible on mobile devices, and trained staff on security procedures. Data protection principles at risk include secure storage and only keeping information as long as needed.

Worked Example 1.2

Scenario: A manager receives an email from someone claiming to be a customer's solicitor, requesting personal financial details. What is the correct course of action?

Answer:
Do not provide any information. Confirm the person's identity and authority first, then refer to company policy on data disclosure. Never release information without proper consent or clear legal grounds.

Exam Warning

Never share or use personal data for new purposes, especially marketing, without obtaining specific informed consent from the individual. Doing so is likely both unethical and unlawful.

Summary

Businesses have both a duty and a legal requirement to keep information accurate, safe, and private. Effective controls and clear retention policies help avoid costly mistakes and meet compliance obligations. Data protection is not just about avoiding fines—good practice maintains trust and ensures accounting records support sound business decisions.

Key Point Checklist

This article has covered the following key knowledge points:

• Explain the importance of data protection and the risks of poor information management
• Identify core principles of data protection laws
• Describe controls for secure handling, storage, and disposal of records
• Recognise internal threats and appropriate responses to data breaches
• Outline the features of a good document retention policy

Key Terms and Concepts

• data protection
• personal data
• document retention policy
• internal control
• confidentiality