- ICO urges businesses to work with it on online privacy
- ICO launches new guidance on DP Act
- Verity Trustees guilty of losing 110,000 personal records
1. ICO urges businesses to work with it on online privacy
Information Commissioner Christopher Graham has urged businesses and organisations to win consumer confidence online now. Launching a consultation on Personal Information Online Code of Practice on 9 December, Graham said: “Meet us half-way and produce user-friendly privacy statements. A draconian EU Directive would make it very difficult to operate online. We need to find a balance.”
The ICO has developed its code in cooperation with industry. It says that the code is designed to be practical, but if it seems to pose unrealistic expectations for organisations, the ICO would like to hear their views now. Areas that are addressed include risks, individuals’ wishes, practical compliance issues and territorial issues. The ICO now recognises that in some areas, e.g. cookies, it may not be realistic to apply DP law literally.
Read more about the Code and the ICO’s views in the February issue of PL&B UK.
The deadline for submitting comments to the Code is 5 March 2010. See the consultation document at http://ico-consult.limehouse.co.uk/portal
2. ICO launches new guidance on DP Act
The ICO has produced a new Guide to Data Protection, which is intended to provide businesses and organisations with practical advice about the Data Protection Act and dispel myths. The guide takes a straightforward look at the principles of the DP Act and uses practical, business-based examples.
The guide, which has been developed in cooperation with the British Bankers Association and the Federation of Small Businesses, is best suited for small and medium sized enterprises. It is divided into three parts, thus allowing users to choose whether they need very basic or more detailed compliance advice.
Stephen Alambritis, Head of Public Affairs at the Federation of Small Businesses, said: “Small businesses do not have time for pages and pages of jargon and gobbledegook, but getting data protection right makes good business sense. Data protection lapses cost reputations and can affect the bottom line. But, many organisations tell us that data protection law is difficult to understand. This new no-nonsense guide will help the business community to understand and comply with the law.”
The guide was launched on 26 November and can be downloaded from the ICO website at www.ico.gov.uk
3. Verity Trustees guilty of losing 110,000 personal records
Verity Trustees Ltd has been found to be in breach of the Data Protection Act having reported the theft of a laptop computer containing the names, addresses, dates of birth, salaries and national insurance numbers of around 110,000 individuals. The laptop was stolen from a locked server room at Northgate Arinso, the suppliers of the Verity Trustees’ computerised pensions administration system.
The company has now signed a formal Undertaking with the ICO, promising to ensure that:
(1) Portable and mobile devices including laptops and other portable media used to store and transmit personal data are encrypted using encryption software which meets the current standard or equivalent;
(2) Adequate written contracts are in place with third parties acting as data processors that encompass data security obligations as soon as practicable and in any event by no later than six months from the date of the undertaking being given;
(3) Adequate measures are in place to ensure third parties meet their contractual data security obligations as soon as practicable and in any event by no later than six months from the date of the undertaking being given;
(4) The data controller shall implement such other security measures it deems appropriate to ensure that personal data is protected against unauthorised and unlawful process, accidental loss, destruction, and/or damage.
Mick Gorrill, Assistant Information Commissioner at the ICO, said:”It is encouraging to see that the Trustees have taken remedial steps, including the engagement of a fraud protection service provider to protect the affected individuals.”
The Undertaking , signed on 26 November, can be seen at http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
For further details on the Privacy Laws & Business UK Newsletter, please click here.
Copyright Privacy Laws & Business 2009