In an impassioned attack on the failure of large organisations
to take data protection seriously enough, the Commissioner, Richard
Thomas, said that big business and government departments were not
living up to their responsibilities.
"Over the last year we have seen far too many careless and
inexcusable breaches of people’s personal information. The roll
call of banks, retailers, government departments, public bodies and
other organisations which have admitted serious security lapses is
frankly horrifying," he said.
The Information Commissioner's Office (ICO) releases its annual
report today. In the past year it has accused some of the UK's
biggest names of breaching the Data Protection Act, including
Nationwide Building Society, Orange, HBOS, The Post Office,
Littlewoods, Barclays Bank, and the Royal Bank of Scotland.
"How can laptops holding details of customer accounts be used
away from the office without strong encryption?" said Thomas. "How
can millions of store cards fall into the wrong hands? How can
online recruitment allow applicants to see each others’ forms? How
can any bank chief executive face customers and shareholders and
admit that loan rejections, health insurance applications, credit
cards and bank statements can be found, unsecured in
non-confidential waste bags?"
Thomas said that chief executives must take data protection and
the privacy of customers and employees more seriously. The problem
may not be at that level, though, according to Louise Townsend, a
data protection expert at Pinsent Masons, the law firm behind
OUT-LAW.COM.
"The examples he has given are horrifying examples, but I don't
think it's the case that organisations don't take this seriously. I
think the problem is they are not getting the message across to all
the organisation," she said.
"The Commissioner talked about local branches of banks putting
rubbish in bins with people's information in them; the big
financial services companies do take this seriously and have
compliance staff but they maybe need to have a look at how they
communicate to all their staff and how they put rules into
practice," said Townsend. "It's not about it not being taken
seriously, it's about how it filters down."
The ICO says that the limited powers of the Commissioner make it
difficult to police data protection effectively. It wants the power
to audit organisations without their permission, and is lobbying
for the creation of a two year jail sentence for people
deliberately abusing personal data.
Greater powers could provide a more significant deterrent, said
Townsend. "The people he mentions just had to sign undertakings
which were put on his site, not pay a fine or face criminal
prosecution. If they faced a £1 million fine like Nationawide did
from the FSA then it might be taken more seriously than being put
on the Commissioner's website and signing a piece of paper," she
said.
The ICO said that it had now received 6,000 complaints and has
issued 600 decision notices. It said that it had received 24,000
enquiries in the past year and has prosecuted 16 individuals and
organisations in that time.
