The Information Commissioner’s Office (ICO) released its annual report earlier this month, with a call for chief executives to prioritise protection of their customers’ sensitive data.
Speaking at the launch of the report, Information Commissioner Richard Thomas said that organisations in the private and public sector need to raise their game. “Over the past year, we have seen far too many careless and inexcusable breaches of people’s personal information,” he argued. “The roll call of organisations that have admitted serious security lapses is frankly horrifying.”
The report mentioned a wide range of previous incidents to highlight the scale of the privacy problem, including Liverpool City Council being fined £300 in December 2006 for failure to comply with the Data Protection Act (DPA); and an investigation into high street banks, such as NatWest and Barclays, which revealed that customer data was being thrown away into rubbish bins outside the banks’ premises.
The privacy watchdog is likely to use the information in the report as evidence of the need for stronger enforcement powers.
Earlier this year, Thomas called for the automatic right to inspect and audit companies suspected of breaching the DPA. Currently, this requires the company’s consent.
George Gardiner of law firm Gardiner & Co said the report highlights the need for greater powers for the privacy watchdog. “The problem is the ICO is under-funded and has inadequate powers. As a result, it cannot investigate complaints, nor can it take effective action,” he argued. “The ICO says that in 2006/2007 it fielded 24,000 complaints and enquiries, yet it has only managed 16 prosecutions in the past 12 months.”
Cliff Evans, ID management lead at consultancy Capgemini, agreed that the weight of evidence supports the Information Commissioner’s calls for stronger powers. “But more auditing work has an implication on resources. The ICO needs to communicate with organisations and make them more aware of their responsibilities,” he added.
The high level of incidents outlined in the report could also lead to renewed calls for the government to introduce US-style data breach notification legislation. This requires organisations to inform individuals of any incidents that could expose their personal information.
Alex Brown, a partner in the Communications, Outsourcing and Technology Group at law firm Simmons & Simmons, pointed out that this type of legislation already exists in Europe through the E-Privacy Directive, which is part of the Telecoms Regulatory Framework.
Under the directive, communications providers, such as ISPs and telcos, are required to notify their customers about network security breaches. “One current proposal is to expand this requirement to cover general data security breaches,” Brown said. “An EU working party is also considering the possibility of expanding the directive to cover other organisations, rather than just communications providers, as the recent serious security breaches have not involved the telcos.”
Brown added that the most likely outcome of the report would be more severe penalties. “We could see the level of fines go up,” he said.
