ICO to make data protection compliance easier

The Information Commissioner said in a statement along with the release of the Guide to Data Protection, that “there are still too many organisations playing fast and loose with personal data. Security breaches, inaccurate records and instances of data being held for too long are too common. This new guide will help organisations comply with the law and demystify data protection.”

At a reception with banking professionals in London on 26 November, Graham said the ICO has set itself an ‘Olympic challenge’ for 2012: “Our vision is by 2012, to be recognised by our stakeholders as the authoritative arbiter on information rights.”

ICO tips for organisations include:

  • Organisations should say what they will do with personal data before individuals provide any details unless it is obvious.
  • Information should only be used for what it was collected for.
  • More information than is necessary should not be collected.
  • Information should be kept accurate and up to date and act on requests to change details to a person’s data.
  • Personal information should not be kept longer than it is needed.
  • Organisations must comply with requests to provide copies of information on an individual if asked.
  • Personal information must be kept secure at all times.
  • Personal information should not be transferred to another country unless adequate data protection arrangements are in place.

Crime and punishment

Graham told the audience that the ICO has to change because it is operating in a changing environment. The ICO has recently been awarded more powers, but also new responsibilities, challenges and the ability to dish out larger penalties. With all this, the ICO is also facing growing expectations from the authorities, organisations and the public.

Following the event, Graham explained the ICO’s increased powers to Infosecurity. “We got civil monetary penalties for organisations that breach Section 55 of the Data Protection Act – the more serious breaches. The government is discussing the possibility for custodial sentencing for individuals who misbehave similarly.

“We’re getting a great increase in complaints about misuse of data, and we’re also responsible for freedom of information. We got a great increase in the freedom of information business – 29% up on the same period last year”, Graham said.

Another challenge for the ICO going forward is to “make sure that the organisation is able to adapt to the new circumstances and that we’re really able to deliver. So it’s quite a lot of management to be done”, he told Infosecurity.

Asked about whether the ICO will be a data protection breach punisher or friendly business enabler, Graham said: “We have to do both. The thing about penalties is that they’re there in the background, and they are a deterrent. Good, modern regulation is not about waiting around the corner to say ‘aha – you got that wrong, we can fine you’, we’re not interested in fining people except to get good behaviour.”

The Information Commissioner told Infosecurity that it is up to the ICO to give good advice to industry and consumers, and that people “will be very well advised” to keep an eye on the ICO website and/or sign up for the ICO newsletter to keep up to date with rules and regulations, but also on advice that could keep companies out of trouble.

Echoing several calls from information security experts, Graham added that “All this [information security and data protection] should be a main board responsibility, this is not just something for the techies in the IT department. This is potentially completely toxic if you get it wrong.”

The perils of data loss

The Information Commissioner made it clear to the London audience that he is keen to learn from organisations and businesses what they need and want. He also recognised that the ICO should lead by good example. “We do not ask others to do what we are not prepared to do ourselves”, he assured the audience.

Part of Graham’s – and the ICO’s – learning curve, will be to learn more about technology. “We need to be technologically literate so that we can be ahead of the game on the policy front, so we understand what happens”, Graham told the audience in London. He added that the ICO also needs to be able to communicate policies and information to everyone, be it experts, technologists, industry and ordinary people.

He also said that organisations should not fear the internet and the information age, even though it has given large powers to the consumers. Organisations have to learn to live with this and find ways of dealing with it, he said.

“The reputation of companies and organisations, or government and finance, can be very easily trashed”, Graham explained. “Nothing dents people’s confidence in a major brand or organisation than a stonking great data loss.”

However, he added: “Nothing restores confidence in organisations better than confident transparency in the internet world.”

What’s Hot on Infosecurity Magazine?