Following on from the article earlier this week which talked to the former Information Commissioner about his current work, plans and ambitions, I spoke to Richard Thomas about his thoughts on current issues.
I began by asking Thomas, now a strategy advisor to the Centre for Information Policy Leadership at law firm Hunton & Williams, about data protection and how companies can reduce the risk in his view.
Claiming that data protection is all about risk - with the right controls in place risk can be reduced - Thomas pointed to recent incidents by stating that ‘if the risk does materialise, there is a huge price for companies to pay in reputational and financial terms'.
Thomas said that when he was the Information Commissioner, his office published a chart tracking reported losses, and recorded over 500 in the space of 18 months which has since risen.
Thomas said: “Some are coming to light because organisations are waking up to what might happen - they are doing audits and realising that they have lost something.”
Pointing to the incident where the details of 6,000 prisoners were breached when an unencrypted USB stick was lost, Thomas explained that the stick had been left in a desk and stolen. The person then reported the incident and the boss told the Home Office who then told the ICO. It became a big story.
Thomas said: “How many workers in that situation are even aware that they have lost a memory stick? Would they tell their boss? And how many bosses would tell the client? There must be many examples where people do not know that they have lost the data, let alone reported it to somebody else.”
I asked Thomas if this was a problem with portable data devices in general. He claimed that a lot of politicians and senior civil servants and managers do not understand the technologies and do not understand the risks.
Thomas said: “I cannot tell you how many senior civil servants have told me they had no idea they could get 25 million records onto a couple of disks. If I got a pound for every time that was said I would be a rich person.
“People in a work environment can still take a rather casual attitude to information management. After one big incident, a report described some people at the Ministry of Defence as the 'Facebook generation'. In other words, they are used to being quite casual with their own data and forget the discipline you need in the workplace.”
He later claimed that - when it came to social networking - he did not want to appear as a ‘grumpy old man as the regulator telling kids you cannot go on Facebook'. Education is key and he referred to a University programme run by the ICO which was pushing the message of ‘by all means take part in social networking - but just be aware of what you are doing'. Thomas said that there were many transitional problems, as the first generation of social network users made mistakes. They are finding out that if you put pictures on the internet of yourself as a drunken student, they can still be there ten years later.
Thomas said: “I went to a conference a while ago and someone asked what the big deal was, because in ten years time everyone who will be 32 will have a picture of themselves vomiting in the gutter.
“I do not subscribe to that point of view, but I think people do need to be aware that they have got quite a strong responsibility to safeguard their own privacy. As I say it is largely a transitional policy, but the next generation are very savvy and probably know more than most commissioners and lawyers about how to look after themselves. Telling kids how to behave can easily be dismissed as patronising.”
He also encouraged awareness of privacy settings on websites and said that while there is responsibility on the shoulders of people, companies have a responsibility too.
“We talked to Facebook and other social networking sites a lot and urged them to explain to their users how the privacy settings work. In the early days they were not very clear and were hard to operate. We also had discussions about how long they kept their data for. If people want to have their profile taken off then our broad approach was that they should be able to remove it altogether, and that is an ongoing discussion,” said Thomas.
Bridget Treacy, partner at Hunton & Williams, commented: “Recently Facebook changed their privacy notice in response to protests from users. That is an excellent example of users expressing their preferences and an organisation responding. There are others too, pointing to the fact that people care about their privacy. If consumers care about this issue, businesses need to ensure they do too. ”
What about employment situations? Is there is a responsibility on the part of the employer, and is there a case for them to monitor the actions of staff during working hours?
Thomas admitted that this is a complicated area and while at the ICO, he had published a widely-welcomed Employment Code of Practice which has become the definitive guide.
He told me that this recognised that some employers may legitimately need to make sure that there is no abuse of facilities, such as looking at pornography in work time, so the broad approach was that employers should tell people what was going on.
Thomas said: “If you notify your staff, and remind them on a regular basis, then you can do most of the things that you need to do as an employer. This concept of notifying people in ways that they understand is really important, and whereas secret employer monitoring was really controversial five years ago, the heat has been taken out of that issue.
“Companies had said that they needed to monitor staff otherwise people do what they like, walk off with our money, access pornography and so on. So they need to have some checks in place, and we made the effort to get the balance right.”
Moving on to another current and hot topic – inside security threats and associated risks - Thomas again claimed that is something that should be both monitored and controlled from the top.
Thomas said: “The way I used to put it was that this is something that senior management must focus on. There needs to be someone at or near the top – certainly at board level – who has implemented checks under three headings: policies and procedures; technology; and people. You have got involve all three boxes and you have got make sure the weakest link is covered.”
He admitted that most insider incidents are accidental, but the damage can be very severe, with damage to the people whose data is compromised and to the company, leading to big fines, cost, reputational and share price damage – all showing why it needs to be taken seriously. When the T-Mobile incident occurred recently, there were suggestions that staff had been deliberately selling data.
There have been claims that the £5,000 maximum fine was a paltry sum for perpetrators. I asked Thomas if there was a need for punishments to be revised, and even for trading sanctions to be imposed.
He claimed that in the last couple of years of his time as the Commissioner, he had persuaded the government to increase the standing, power and resources of the office. There are now increased notification fees for the largest organisations, new powers of inspection and much stronger sanctions.
These sanctions will be introduced from next year when ‘a company or government department deliberately or recklessly ignore data protection requirements, and cause serious harm, then they will face a civil penalty'. Thomas explained that this will affect anyone who is a data controller, and there are over 300,000 of them in the UK.
Treacy said: “At the moment the Financial Services Authority can fine banks and insurers that lose data. These fines have been hefty - £3 million in the case of HSBC. The current position is anomalous: a bank can be fined for a data loss, yet a pharmaceutical company would not currently be fined for the same loss.”
Thomas said: “Giving ICO parallel sanctions is a brand new development but I am pleased to leave it as a legacy for my successor. I fought quite hard to get those powers and those resources but these things do take time.
“The next thing is proposing to introduce prison sentences for those who steal or sell data, and we campaigned for this for nearly two years in the Office. The government is consulting on it right now.
“If someone is out to actually steal data then they are doing it for what they think is a good reason. That is looking for large sums of money or to cause damage to people, so I would always take deliberate data theft much more seriously than accidental.”
Finally, with a new government possibly in 10 Downing Street next year, I asked Thomas what he thought of Tory plans to empower and reform the ICO should they be elected next year.
Thomas said: “All three parties are now competing to enhance the standing and the authority of the ICO. The Conservatives published a paper four weeks ago; the Liberals have always said it and the current government is now beginning to do it. So I am all in favour of competition like that!”