PL&B UK E-news, Issue 68

1. ICO asks for mandatory audits, criminal offence and data breach notification

The House of Commons Justice Committee published a report on 3 January 2008, together with formal minutes, oral and written evidence, entitled: “Protection of Private Data.” It records evidence given on 4th December 2007 by Richard Thomas, the Information Commissioner, to the Justice Committee hearing on the protection of personal data. He said that his powers are currently too weak to enforce the law effectively.

The Commissioner is asking for several improvements:

  • power to require organisations to commission an independent audit on their data processing
  • power to inspect personal data and the circumstances surrounding its processing
  • a requirement for specified organisations to declare in their Annual Reports that they are satisfied that they have put appropriate security measures into place
  • a requirement to notify the ICO, and the individuals affected, where data security breach presents a real risk of causing substantial damage or distress to individuals
  • a new criminal offence where organisations have knowingly or recklessly failed to comply with DP principles
  • wider use of Privacy Impact Assessments.

Read more about this topic in the February issue of the PL&B UK Newsletter.

2. Data protection regulator poorly funded while personal data has become a “reputational risk” factor for all sectors

When Richard Thomas, the Information Commissioner, gave evidence to Parliament’s House of Lords and House of Commons Joint Committee on Human Rights on 14th January, he drew attention to the disparity between his annual budget for data protection compliance (£10 million) compared with other regulators, the Health and Safety Executive (£890 million) and the Financial Services Authority (£269 million). He had only “a handful of staff” to conduct security inspections and audits at 280,000 registered data controllers.

He said that the recent loss of personal data on 25 million people by Her Majesty’s Revenue and Customs had a “silver lining.” It was a “wake up call” in accelerating the trend away from the protection of personal data “not being taken as seriously as it should be” and “somewhat grudging” in both public and private sectors. The proper holding of personal data is increasingly regarded in both public and private sectors as an important factor in “safeguarding reputational risk.” The collection and use of personal data had now become a “governance and accountability issue.”

For example, the Permanent Secretary at the Department of Transport, after the loss by a data processor in the USA of data on thousands of people who had taken driving tests, had written to all his staff reminding them of their data protection responsibilities. Thomas also expressed a particular concern about the collection of transactional data and the build up of a profile “every time a card is used.”

3. Privacy Impact Assessments as a risk assessment tool

The ICO is recommending that organisations carry out Privacy Impact Assessments (PIAs) before starting any new projects or programmes that may have privacy implications.

PIAs are not currently obligatory but the ICO has recommended to Parliament that they should be made mandatory in certain cases. In some other countries, PIAs have often been built into government project management processes and management decision-making as a matter of policy.

PIAs are about identifying and managing privacy risks. The ICO says that by conducting PIAs, organisations can avoid reputational damage and litigation. By performing a PIA at an early stage of a project, organisations can identify any problems before it is too late.

Read more about PIAs and the ICO’s plans in the February issue of the PL&B UK Newsletter, due to be published in the first week of February.

The ICO published a handbook on 11 December 2007 on how to conduct a PIA. Privacy Laws & Business conducts independent audits and PIAs – please contact Stewart Dresner at e-mail for more information.

4. PL&B privacy survey seeks your views

How are privacy professionals valued in their organisations in the UK? How well is your organisation prepared for a loss of personal data? What do you think of the proposed new compulsory audit powers in the public sector for the Information Commissioner? Should they be extended to the private sector? Should there be a criminal offence for major data security breaches? And how are you, as a Privacy professional, valued in comparison to others doing similar work in your sector?

The results will give you, and the wider privacy community in the UK, an idea of how Privacy is regarded within the UK and how Privacy professionals are valued within their organisations in terms of resources and remuneration, as well as the scope of their work. Obviously the more responses we receive, the more valuable the overall report will be.

We intend to run this survey on an annual basis. A copy of the survey report will be sent to all those who participate, and a summary will be posted on our website.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2008