All the latest UK technology news, reviews and analysis


Infosec 2013: ICO dismisses EC's 'tick box' approach to data protection

24 Apr 2013
Deputy information commissioner David Smith

The data protectionlegislation proposed by the European Commission (EC) takes too much of a "tick box" approach to be effective and will do nothing more than lumbering firms with excessive paperwork, according to the deputy information commissioner, David Smith.

Smith said the EC has over-legislated, making its proposed cross-national privacy and data protection laws unworkable in the UK during a discussion at the Infosec event on Wednesday.

"Businesses know they need to have proper documentation, to ensure there are proper policies and procedures in place, proper security measures, proper staff with sufficient training and qualifications and so on. In many ways we're happy to leave it at that, so you [businesses] put the procedures in place and when we come knocking at the door you justify to us how effective they are," said Smith.

"The problem is because we're going for harmonisation all those measures are spelled out in detail, listing all the types of documentation you can keep and rather than appropriate staff dictating ‘you shall have an information officer with these qualifications' and a lot of other details.

'All this undoes the idea of you being responsible and turns it into a tick box. We're more bothered about assessing the risk and the outcomes than box ticking, it's about privacy, it's not about having the right paperwork."

Smith said that the Information Commissioner's Office (ICO) isn't completely against cross national privacy laws and that its issues are only with the exact version currently proposed.

"We welcome the spirit of what's going on, it will give better rights to individuals and it will protect their data," he said.

"Things like the concept of accountability, though the word itself isn't used, will mean that businesses will not only need to have compliance mechanisms in place to ensure they're protecting people's personal information properly, they'll also need to demonstrate the mechanisms are in place and that they're also effective in practice.

"The problem is the EC's proposed legislation then goes into great detail and as a result undoes that."

The deputy commissioner went on to reiterate the ICO's belief that the legislation's section on individuals' right to be forgotten will also be difficult to implement.

"For me the right to be forgotten doesn't mean a lot. It is important but it's not really a right to be forgotten in the strictest sense," he said.

"Even the commission that drafted this didn't intend for people to be able to expunge all online records about them, that's just not realistic given the way information flows and it's also not right that you can potentially re-write history. Would you really want it so people could expunge a criminal conviction?"

Smith argued that the right to be forgotten is still useful as it will lead to improved legislation on other privacy issues.

"There are some important things in there. It reminds businesses not to store people's personal information longer than required. There does need to be some proper deletion procedures so nothing is kept forever. Part of this is also the individual's right to object, which again we think is important," said Smith.

The deputy commissioner raised similar concerns alongside European data protection supervisor Peter Hustinx during a Westminster discussion earlier in the year.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
12%
5%
10%
3%
19%
3%
48%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

DevOps Engineer - Established, Well-know eCommerce Website!

DevOps Engineer, Puppet, Chef, Continuous Integration...

Systems Engineer Windows Server SCCM Exchange Finance London

Systems Engineer (Microsoft Windows Server 2008/2012...

Architect C# ASP.NET Web API Java Digital Finance London

Solutions Architect (C# ASP.NET Web API RESTful REST...

ETL Powercenter Developer

We are currently looking for Informatica IDQ developer...
To send to more than one email address, simply separate each address with a comma.