Protecting personal details Companies’ responsibility
This article, Protecting personal details, was last updated on 30 July 2008 and is now out of date and held in our online archive for reference. Explore our latest Technology articles.
In recent years there have been numerous incidents where companies and government bodies have lost huge amount of personal data.
One estimate by Forrester Research suggests that information security breaches cost an organisation at least £44 per lost record. Not to mention the damage that is caused to their reputations.
When it comes to protecting your data, people are the weakest link. Here are some recent examples:
- In November 2007 the government admitted that computer discs holding the personal details on 25 million people had gone missing. The discs were lost by government agency, Her Majesty's Revenue and Customs. The data included names, addresses, dates of birth, National Insurance and Child Benefit numbers and bank or building society account details.
- In August 2006, a Nationwide employee took home a laptop containing unencrypted information about customer accounts. It was later stolen in a domestic burglary.
- In July 2007, the Bank of Scotland sent a CD-ROM including the names, addresses, dates of birth and mortgage account numbers of 62,000 of its customers by unsecured post. The CD later went missing in the post.
- In another instance, an investigation by the Information Commissioner’s Office (ICO) found that Orange ‘was not keeping its customers information secure’ due to the way in which ‘new members of staff were allowed to share user names and passwords when accessing the company’s IT system.’
Holding companies responsible
Customers suffer if their data gets into the wrong hands. But, what happens to companies that don't protect your data as well as they should?
Data protection act
In theory, customers are protected by the Data Protection Act. The Data Protection Act has a number of principles.
'One of those requires “appropriate” security measures to be taken,' says Hazel Grant, of legal firm Bird & Bird.
The problem is that the Act doesn't define the word ‘appropriate’ leaving companies free to argue that they've taken enough precautions when in fact their customers might expect them to be doing more to safeguard their personal data.
Unbelievably, companies aren't obliged to tell their customers if their security is compromised.
Nor do they have to tell the Information Commissioner’s Office (ICO), the UK's independent public body set up to promote access to, and to protect personal information.
Where companies do own up to a security breach, the ICO will advise it on what to do next in terms of notifying its customers and improving data security in future.
The ICO can act where a security reach is the result of negligence (sending unencrypted data through the regular post, say).
The first step is to issue a warning known as a Preliminary Enforcement Notice (PEN), which tells the company to improve its security within a set time frame.
If the company doesn’t comply then the ICO can issue an Enforcement Notice. ‘To breach an Enforcement Notice is a criminal offence,’ explains Dave Evans, a senior data protection practice manager for the ICO.
That means that if the organisation still doesn’t comply, then the ICO can prosecute.
It also has powers to prosecute individuals, such as employees, who misuse or steal information. In practice, the ICO has taken what Grant calls a ‘pragmatic’ approach: getting written agreements from organisations to change their future practices rather than prosecuting them for data breaches.
By comparison, the Financial Services Authority (FSA), which regulates the banking industry, has made companies pay for their mistakes. When the Nationwide Building Society lost customer data last year, for example, the FSA imposed a fine of nearly £1m.