Results from a recent survey of over 500 small and medium-sized businesses carried out on behalf of the British Standards Institute (BSI) are likely to give cause for concern among insurers offering privacy/data protection cover to small and medium-sized enterprises (SMEs). The results revealed that of those SMEs who took part, 20% have unknowingly breached the Data Protection Act (DPA), just under 50% of these had breached the DPA more than once and an additional 18% were unaware whether they had done so or not.
The survey (the subject of a recent press release on the BSI website) produced some further alarming statistics, including the revelation that 65% of businesses provide no data protection training to staff; nearly 50% had no one within their organisation to deal with data protection issues; 15% of businesses are not confident that their data sharing practices conform with the DPA (5% of these share their data regardless); and 18% said that data protection is less of a priority in the current economic climate.
The above statistics were released in conjunction with the BSI’s new BS10012: ‘Data Protection – Specification for a Personal Information Management System’, which is intended to establish best practice and assist compliance with data protection legislation. But with five million SMEs in the UK and an increasing number of insurers providing cover for DPA and privacy right liability, the findings will cause insurers to question whether they should be asking for more details on data protection practices or doing more to provide policyholders with guidance on the complex legislative framework surrounding data protection.
DPA and the eight ‘Principles’
Adopted in July 1998, the purpose of the DPA was to protect the rights of an individual about whom data is obtained, stored, processed or supplied. It applies to data stored in electronic form as well as personal data in a structured hard-copy form and would include, for example, customer details which may be used for marketing purposes.
The DPA contains eight fundamental ‘principles’ requiring that data must be: (1) fairly and lawfully processed, (2) processed for limited purposes, (3) adequate, relevant and not excessive, (4) accurate, (5) not kept longer than necessary, (6) processed in accordance with the data subject’s rights, (7) secure, and (8) not transferred to other countries without adequate protection.
It is the role of the Information Commissioner’s Office (ICO) to enforce the provisions of the DPA and take action against any organisation which may be in breach. Common breaches involve failure by organisations to notify the ICO with required details on how they are processing information or obtaining or disclosing personal information without the consent of the processing organisation.
Not only does the Act provide criminal sanctions for breach of certain provisions (for example, failing to notify) but the ICO can also issue information notices (requesting information on data processing practices), enforcement notices or “stop now” orders (requiring an organisation to take or refrain from taking steps to comply with the DPA).
Additionally, the DPA provides that an individual can bring an action before the courts against a processing organisation seeking compensation for damage and distress caused by any failure to comply with the DPA.
Impact for insurers
In addition to the potential damages liability (for which insurance cover is widely available), the investigative and enforcement roles of the ICO can also impact on certain ‘cyber risk’ covers. Managerial and administrative time and cost to ensure compliance with information notices can be considerable depending upon the size of the insured organisation and the amount of personal information which it holds. Steps which must be implemented to comply with enforcement notices from the ICO can also prove costly where insured.
In view of the findings of the BSI survey, insurers may consider requiring policyholders to provide more information on their data protection practices in proposals and/or reviewing policy conditions in relation to the implementation of data protection procedures.
Given the complexity of the DPA and associated legislation, insurers offering this cover might also consider providing their policyholders with basic risk management guidance on how to comply with their data protection obligations.