Following a three-month consultation with the industry, government, academia and consumers, but not the Information Commissioner's Office (ICO), on Tuesday 2 June the British Standards Institution (BSI) launched the first British Standard relating to personal data management, BSI 10012: Specification for a personal information management system. Its aim is to establish best practice and aid compliance with data protection legislation.
The standard is not prescriptive as to what steps and measures should be taken but instead provides guidance and a framework within which to effectively manage personal information. It is intended for use by both private and public sector organisations and covers areas such as risk management, training and awareness, data sharing, data retention and disposal and disclosure to third parties.
The launch of the standard coincides with publications from BSI on the results of its recent survey on data protection compliance by organisations. The second is a Personal Data Guardianship Code launched by the Information Security Awareness Forum and the British Computer Society.
The BSI survey highlighted some of the challenges faced by organisations in trying to comply with legislation. Results revealed that one in five SMEs admit to breaching data protection legislation and that nearly half of these think breaches have occurred on several occasions. 65% do not provide data protection training for their staff and nearly half do not have a person responsible for data management within their business. Particularly worrying is that 15% of those surveyed are not confident that they share data in accordance with legislation and 5% of these admitted to sharing data regardless. The new personal information management standard is intended to address these issues and provide a helping hand to organisations struggling to understand and comply with legislative requirements.
The Personal Data Guardianship Code is intended to promote best practice and provide guidance on the handling of personal data. The code sets out five principles of good data governance, namely accountability, visibility, consent, access and stewardship. It also focuses on how advances in technology have increased the potential for mishandling personal data. The code is aimed at both businesses and individuals as it summarises the rights and responsibilities of data subjects, including the need to protect personal information and how to complain under the Data Protection Act 1998 (DPA).
The standard and code are a timely lifeline thrown to organisations which may be in breach of data protection as they have been launched in advance of the ICO's increased powers to prosecute and fine organisations in breach of the DPA coming into effect. Once in full force, these powers (enshrined in the Coroners and Justice Bill), mean the ICO itself will have the power to impose fines.
While the level of these fines has not yet been set, it is expected they will be based on a percentage of the organisation's annual income. This will give the ICO more teeth to enforce the Data Protection Act 1998 as its current 'naming and shaming' technique is clearly not severe enough to ensure compliance by smaller companies. The ICO has not made any comment on the new standard so it's not yet clear how much weight the Commissioner might give to compliance with it when judging if an organisation has met its data protection obligations.