Information Commissioner Richard Thomas has condemned 'careless and inexcusable' data security breaches
vnunet.com analysis: Information Commissioner slams UK privacy practices
/v3-uk/news/2008766/vnunetcom-analysis-information-commissioner-slams-uk-privacy-practices
11 Jul 2007, Ian Williams , V3
The UK's Information Commissioner has called on chief executives to clamp down on "careless and inexcusable" breaches of personal information.
Richard Thomas said in the 2006/07 annual report (PDF) from the Information Commissioner's Office (ICO) that the UK has suffered unacceptable security breaches over the past year, involving leading names such as Orange and several high street banks.
"Over the past year we have seen far too many careless and inexcusable breaches of people's personal information," said Thomas.
"The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying."
In February alone the ICO found Alliance & Leicester, Barclays Bank, Clydesdale Bank, Co-operative Bank, HBOS, HFC Bank, Nationwide Building Society, Natwest, Royal Bank of Scotland, Scarborough Building Society, The Post Office and United National Bank in breach of the Data Protection Act and ordered them to sign formal undertakings.
Information stolen as a result of poor data security practices can be used in identity fraud and theft, which is currently costing the UK £1.7bn a year.
The ICO received almost 24,000 enquiries and complaints concerning personal information in 2006/7.
As a result it prosecuted 16 individuals and organisations in the past 12 months and two parliamentary inquiries have started following the Commissioner's call for a debate on the UK's 'surveillance society'.
The public's awareness of data protection rights has risen to an all-time high of 82 per cent, and an increasing number of people understand that personal information must be handled appropriately.
"Business and public sector leaders must take their data protection obligations more seriously. The majority of organisations process personal information appropriately, but privacy must be given more priority in every UK boardroom," warned Thomas.
"Organisations that fail to process personal information in line with the Principles of the Data Protection Act risk enforcement action by the ICO and losing the trust of their customers."
The Information Commissioner has called for stronger audit and inspection powers for his office to ensure that personal information stays private.
Currently the ICO can only audit organisations' information handling practices with their consent. The Commissioner wants the right to inspect and audit practices where poor practice is suspected.
Security analysts and consultants are in strong agreement with the report's findings.
"IT processes and procedures are at the heart of the problem highlighted by the Information Commissioner's annual report," said Philip Wicks, a security consultant at Morse.
"There should also be audit trails so that it is easy to see how and when data has been accessed to deter people from misusing it."
Wicks stressed that employee education is a key factor, so that people know what policies and procedures they should be following when handling customer data.
"It might sound obvious but companies need to have a policy on issues such as customer data being taken offsite on laptops and then ensure that these policies are enforced," he said.
Greg Day, a security analyst at McAfee, added: "It is now a daily occurrence for a news story to appear of a high profile company having breached data protection legislation and put their customers' information at risk of being used for criminal purposes.
"It is a company's responsibility to manage this data to prevent security breaches, and it is imperative that companies learn from the high profile mistakes of others and address this issue before further breaches occur."
The report also reveals that the ICO has received almost 6,000 complaints under the Freedom of Information Act and issued over 600 decision notices.
Around 30 per cent of the Commissioner's rulings upheld the initial decision by the public authority, while 38 per cent of decision notices issued by the ICO ruled in favour of the complainant.
In 32 per cent of cases the Commissioner upheld some elements of the complaint in favour of the complainant and agreed with the public authority on others.
Any company or individual who processes personal information must comply with the Principles of the Data Protection Act. These stipulate that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with personal rights
- Secure
- Not transferred to other countries without adequate protection
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Who can we now trust with our personal details?!
The breaches that Richard Thomas refers to explain why, we as consumers, are becoming increasingly incensed at how careless some UK organisations are being when using sensitive customer information. There is also growing evidence that in some cases deliberate misuse of this data, solely for the financial gain of the business, is being sanctioned at the highest level in businesses either directly or through abdication of corporate responsibility.
The problem is that too many organisations are storing and using the same customer data, without control, so one department or office is not aware of what the other is doing with that information. As the article suggests, this can easily lead to customer contact being duplicated, for example, multiple sales calls to the same customer on the same day. This destroys brand value, something that all executives acknowledge is difficult to build in today?s market place, yet they are simply not in control of what is happening. This type of carelessness is negatively affecting the customer?s experience of some organisations and UK executives must address this if they want to maintain a positive relationship with their customers.
There are enough threats to customer data from the criminal community, without legitimate organisations adding to it through an array of careless activities which can be managed. Deliberate misuse is inexcusable, even through ignorance and must be punished by the IC. I am sure that ignorance and poor management will be suitably punished by consumers over time. The danger here is that those who do protect data effectively will be tarnished by those who do not.
Posted by David Arrowsmith, SAS UK, 12 Jul 2007