Additional powers for the ICO

Following the Radio 4 interview this morning with the UK ICO on the number of organisations breaching data protection rules (and no doubt, there will be a lot more press on this, one of the issues arising out of this is whether ICO's powers should be increased to protect that of the consumer). Here is a short extract:

A "horrifying" number of companies, government departments and other public bodies have breached data protection rules in the past year, a report says. The UK's Information Commissioner Richard Thomas said bosses must take the personal data of both customers and staff seriously. Orange, Barclays and NatWest are three of the firms he has rapped this year. The Ministry of Justice said prison sentences could be given to those who deliberately misuse personal data. Mr Thomas received nearly 24,000 enquiries and complaints about personal information issues in 2006-07. His report said 56.5% of these required only advice and guidance, while a breach was likely to have happened in 35% of cases, of which a further 77% resulted in remedial action. "Frankly these are inexcusable. None of this is really rocket science - security is fundamental," he told BBC Radio 4's Today programme.

Just a reminder of the data protection principles under the Data Protection Act 1998 and in particular, the 7th data protection principle:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For any organisations that handle personal information, a few questions (not exhaustive, but let me know if there are any more) that will need to asked:

• Who is your data protection officer?
• Are there training sessions to raise awareness of the importance of data protection?
• Who do I complain to where there is a security breach?
• What are my rights? (On this, visit the UK ICO website)