In the wake of the ICO receiving long overdue powers companies will need to resolve their data protection issues.
From the start the FSA has been able to issue hefty fines. By comparison, the Information Commissioner's lack of powers to penalise companies for data security and privacy breaches has left it looking like a toothless tiger. That is all set to change and companies should revisit their data security procedures before the Information Commissioner's Office (ICO) comes knocking.
As the appointed regulator of both the Data Protection and Freedom of Information Acts, the ICO has a plentiful workload. The authority has repeatedly called for stronger powers in fulfilling its duties as enforcement notices coupled with bad publicity for errant data controllers are not powerful enough to act as proper deterrents. Following the loss of personal records of 25 million people by HM Revenue and Customs in 2007 the Government commissioned the Information Commissioner, Richard Thomas, and Dr Mark Walport, a director of the Wellcome Trust and member of the Government's council for science and technology, to conduct a review into the use and sharing of personal information in the public and private sectors.
Predictably, this “Data Sharing Review” called for greater powers for the ICO.
The Government agrees and a final announcement is expected soon. Finally, 10 years after the Data Protection Act came into force, the ICO is on the verge of being granted greater powers.
These look set to include inspection powers and the ability to fine organisations for breaches of data protection principles. This will apply where the breach was deliberate or where the controller knew or “ought to have known” there was a risk that the breach would occur.
In practice, it is doubtful that a company with a large amount of personal data will be able to claim that it could not have predicted a breach. For example, the ICO ordered Marks & Spencer to encrypt personal data it carried on laptops following the theft of a laptop containing the details of 26,000 workers from its managing director's house.
Mick Gorrill, assistant commissioner at the ICO reiterated: “It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption.”
The ICO's funding is also likely to be increased. This will come as a great relief to the ICO which had announced previously in March 2008 that due to its limited resources it would focus its efforts on risk prevention rather than enforcement, placing emphasis on the public sector rather than the private sector as this is where it felt the most serious data protection risks could arise.
In the meantime, as if to prove that it is determined to see the job through, the Government added powers for the ICO in the new Criminal Justice and Immigration Act in May 2008 allowing the ICO to fine companies. These powers have yet to come into force but include the ability to issue fines. The ICO revealed recently that since the HMRC data loss, 277 incidents had been reported to it and it was investigating 30 of these. With a bigger budget and more powers coupled with clear warnings from the ICO, now is the time for you to take stock of your data security procedures before the new powers come into force.
Ensure your staff or contractors do not take unencrypted personal data out of the office on laptops or memory sticks.
Check also that your data processor has adequate safeguards in place, especially if they are based overseas. Think about the transfer process too and whether this is done securely.
Also, consider installing software that will prevent bulk downloading of data. After all, a large fine, particularly in the current economic climate, could spell disaster for a company.
Frank Jennings is a partner in DMH Stallard's technology group and head of the commercial team. www.dmhstallard.com