ICO launches Personal Information Promise

Organisations are urged to sign up to the ICO's Personal Information Promise

UK data protection watchdog the Information Commissioner's Office (ICO) has launched a new initiative designed to promote safer data handling practices within organisations.

The Personal Information Promise, unveiled on the third annual European Data Protection Day, is a voluntary charter that would allow businesses and government departments to "demonstrate their organisation's senior level commitment to data protection".

The charter lists several key commitments, including a promise to "keep personal information to the minimum necessary and delete it when we no longer need it" and to be "open with individuals about how we use their information and who we give it to".

Organisations including Vodafone, BT, British Gas and Royal Mail have already signed up.

Paula Barrett, head of the data protection group at law firm Eversheds, said that the initiative may help firms to "take the high ground and engender trust". However, she warned that, having signed up to the promise, breaching it could be "double jeopardy".

"It will be interesting to see how the ICO carrot-and-stick enforcement strategy works in that scenario," she said.

Jamie Cowper, European director of marketing at encryption firm PGP, welcomed the European Data Protection Day as a good opportunity to raise awareness and generate debate among consumers and organisations about data protection issues. But he warned that organisations must take a much more proactive approach to data security in future.

"For governments this means putting the correct measures in place to protect citizens' data within the so-called 'super-databases', and for enterprises this means creating robust data protection strategies to reduce the risk of reputational damage in an already turbulent marketplace," he said.

Simon McDougall, from the technology risk team at consultancy Deloitte, argued that firms need to understand the data they are processing, and where it is being processed, as data protection laws vary widely from country to country.

He added that firms must also be clear on why they are processing certain data, and that they must be sure that any third parties handling this data meet their own high standards.