PL&B UK E-news, Issue 76

1. Private sector audits and obligation to reveal third party lists on ICO radar

The Thomas Walport/Richard Thomas report, commissioned by the Prime Minister in October 2007 as an independent review of the DP regime, says that there must be a statutory right to carry out private sector audits. If businesses refuse, the ICO should be given entry by court order.

The report, prepared by the Information Commissioner Richard Thomas and Wellcome Trust Director Dr Mark Walport, also asks for penalties that reflect those available to the FSA. In addition, companies should be made to reveal which businesses they mean by ‘selected third parties’.

More specifically, the authors say that the government must bring the new penalty provisions in the Criminal Justice & Immigration Act into effect by 8 November 2008.

On data breach, the recommendation is that organisations should voluntarily notify the ICO when a significant data breach occurs.

The Thomas Walport/Richard Thomas report was published on 11 July. Read in PL&B UK’s August issue, published today, how these recommendations, some of them very likely to become part of the regulatory framework, will affect your business.

2. Ministry of Justice supports increased powers for ICO

Following the publication of the Thomas Walport/Richard Thomas report that makes several recommendations on how to ensure the ICO can effectively supervise DP compliance, the Ministry of Justice has given its support to the recommendations.

Justice Minister Michael Wills said in a statement on 16 July:
‘The government wants to ensure that the Information Commissioner has the powers and resources to continue to be able to carry out his duties under the Data Protection Act 1998 effectively, in a rapidly changing environment. Good regulation is essential to support a robust data protection framework. The use of information underpins government's ability to deliver benefits for the citizen through improved public services, new opportunities for the most disadvantaged, protection from crime and terrorism and sustaining economic well being.’

‘I welcome the review's recommendations and agree that measures need to be taken to increase public trust and confidence in the handling and processing of personal data by government and the private sector. Government will consider how best to take forward the remaining recommendations and it will respond in detail in autumn 2008.'

3. M&S enforcement notice cancelled

The ICO, on 14 July, cancelled the enforcement notice issued to Marks & Spencer on 5 October 2007 as a result of the company taking the required steps to improve its data security.

M&S has encrypted all of its 4,532 laptops in the UK and abroad. The company took the decision to encrypt all laptops regardless what type of data was held on them.

M&S IT Director, Darrell Stein, informed the ICO that ‘Marks & Spencer will continue to ensure that personal data stored on laptops, including those which are acquired in the future, are encrypted by cryptographic modules that comply with FIPS 140-2 or an equivalent standard and will update its encryption as necessary, in so far as the same is required by law.'

4. ICO serves enforcement notices to HMRC and MOD

The ICO Enforcement Notice of 14 July 2008 to Her Majesty’s Revenue and Customs (HMRC) says that the organisation has contravened the Third Data Protection Principle - personal data processed on the missing compact discs were excessive for the purpose for which they were processed – and the Seventh Data Protection Principle on data security. Although there is no proof of damage, the likelihood of distress to the 25 million individuals concerned is self-evident.

HMRC is to give effect to the recommendations still to be implemented in the Poynter Report within the next 36 months. HMRC needs to provide the Commissioner with progress reports through its Data Security Programme after 12, 24 and 36 months documenting in detail how the recommendations of the Poynter Report have been, or are being, implemented.

The Enforcement Notice to the Ministry of Defence (MOD), also of 14 July, for the loss of a laptop containing personal details of a stolen laptop computer holding personal data of up to 1 million individuals, notes that the organisation has breached the Third and the Seventh Data Protection Principles.

The organisation is required to give effect to the recommendations still to be implemented in the Burton Report by 31st March 2009 (for example, a personal data audit, and introducing policy and procedures for both data cleansing and data governance), and to provide the Information Commissioner with a copy of the 3 monthly progress report.

Read more about the HMRC investigation and recommendations in the August issue of PL&B UK.

See the section of Richard Thomas’s presentation to Privacy Laws & Business’s 21st Annual International Conference on the HMRC’s and MOD’s data disasters and the lessons for all organisations.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2008