A number of recent developments at both the UK and EU level mean that data protection compliance needs to be high on the corporate agenda. The standards for best practice are getting higher and the enforcement activity of the Information Commissioner's Office is increasing.
Information Commissioner publicly "names and shames" companies for poor data security
Due to the recent spate of recent high profile data leaks, the Information Commissioner's Office (ICO) is very publicly pursuing breaches of the Act. Recent ICO actions include:
- In January 2008, Marks & Spencer (M&S) was ordered to ensure all laptop hard drives are fully encrypted by April 2008. This follows on from the theft of a laptop which contained details of the pension arrangements of 26,000 M&S employees. The ICO has also issued a general statement on his website:
"…. in future, where such losses occur and where encryption software has not been used to protect the data, enforcement action will be pursued."
The ICO's guidance makes it clear that security measures also need to be taken for portable storage devices that contain personal data (eg CD's, USBs, BlackBerrys).
- In January 2008, Carphone Warehouse, and its sister company TalkTalk were ordered to provide better protection for customer data. Both companies had been found to be opening customer accounts in the wrong name and passing inaccurate information on to credit reference agencies and debt collection agencies. Security failings had also led to customers being able to view other customers' account details online. In addition, the ICO found that the companies had not responded to requests by individuals for information held about them.
- In March 2007, HBOS, Alliance & Leicester, Royal Bank of Scotland, Scarborough Building Society, Clydesdale Bank, Natwest, United National Bank, Barclays Bank, Co-operative Bank, HFC Bank, Nationwide Building Society and the Post Office were all found to have improperly disposed of paper records. They were publicly named and shamed and required to sign a formal undertaking to comply with the Principles of the Data Protection Act.
In the financial services sector the Financial Services Authority (FSA) has also clamped down hard on poor data handling practices:
- In February 2007, the Nationwide Building Society was publicly named and shamed and fined almost £1million for failing to implement adequate controls to mitigate information security risks. A laptop containing Nationwide customer data was stolen. Three weeks passed after the theft before the bank realised confidential data was on the laptop and took action to mitigate the damage.
ICO pushes for more powers and bigger penalties
In December 2007, the ICO presented a paper to Parliament calling for changes to be made to the Data Protection Act 1998. The paper includes the following proposals:
- a penalty for knowingly or recklessly failing to comply with the data protection principles;
- a power for the ICO to inspect a data controller (currently the ICO can only do this if invited to do so or if the ICO obtains a warrant);
- a power for the ICO to order a data controller to undergo an independent audit;
- enhanced enforcement powers to bring seriously unlawful processing to an immediate halt, to place formal undertakings on a statutory basis and to enable the ICO to take enforcement action to prevent breaches of the Act that are likely to occur; and
- information notices that can be served on any person rather than just a data controller.
The UK Government seeks to get its own house in order Following on from the widely reported loss in late 2007 by Her Majesty's Revenue and Customs of the records of 25 million UK citizens claiming child benefits, the Prime Minister asked the Cabinet Secretary to establish a review into data handling procedures in Government. An Interim Report was released in mid December. The aim is to complete the full report in early 2008.
At the time the Cabinet Report was first commissioned the Foreign Office was also found by the ICO to be in breach of the Data Protection Act as the Foreign Office website allowed personal data of visa applicants to be viewed by others. This continuing series of data leaks from government departments mean that the Cabinet Report and data protection in general will remain a government priority for some time.
Taken in isolation each of these developments may scarcely raise a blip on the regulatory compliance radar for most businesses. Viewed collectively they make it clear that as a result of a continuing succession of high profile data leaks the standard for data protection compliance is being raised significantly (eg, encryption of all laptops). Equally as true is that the consequences of poor information governance are becoming so significant that compliance must be a priority for all businesses. In practice this means that businesses should:
- monitor the ICO enforcement decisions to determine their impact on operational practice (eg, laptop encryption, proper records disposal, encryption of data storage devices);
- take steps now to prepare for the likely introduction of greater ICO enforcement powers. If the ICO obtains the power to conduct or require data protection audits it will become even more important that a data handling policy is in place and that the business can demonstrate that the policy is being complied with in practice.