The Information Commissioner’s Office (ICO) has brought out a new report – urging organisations to take wha the ICO calls simple steps to improve organisational and technological measures to better protect personal information.
The privacy watchdog commissioned the report, Privacy by Design, to help organisations adopt new privacy by design techniques.
Privacy by Design was launched at the ICO’s conference in Manchester on November 26. The report highlights the need to ensure privacy is considered properly by organisations and from the start when they are developing new information systems.
Jonathan Bamford, Assistant Commissioner, said: ‘Organisations collect more and more personal information and many have invested in new technology to enable them to exploit our details more efficiently. But have those organisations devoted the same effort to privacy protection? We are concerned that some organisations are still failing to realise the business risks associated with holding vast collections of personal data and we continue to urge organisations to minimise the amount of personal data they hold.’
Jonathan Bamford said: ‘Today’s conference will highlight ways in which organisations can embed good practice and promote privacy by design from the outset. Executive teams must ensure they have the right procedures in place to properly protect the personal information they hold. Chief executives must understand their responsibility for ensuring their organisations protect the personal information entrusted to them and avoid security breaches. Before a new system is set up to collect more personal details, organisations should make sure that privacy solutions are hardwired in from the start, rather than added at a later stage. No system is 100 per cent secure, but organisations can mitigate the risks of data getting into the wrong hands by adopting privacy by design features and minimising the amount of data held.’
The report highlights the importance for chief executives to ensure that privacy concerns are addressed in any business case for new information systems. Privacy impact assessments should be carried out more widely to determine the impact of collecting and holding people’s personal details. Privacy enhancing technologies should be hardwired into new systems from the outset, rather than bolted on as an after thought.
The failure to process people’s personal information in line with the Principles of the Data Protection Act has led to significant security breaches. The ICO pointed out that it has taken enforcement action against a number of organisations and will shortly have the power to impose substantial fines on organisations where there is evidence of deliberate or reckless breaches.
Visit www.ico.gov.uk
Meanwhile, the Ministry of Justice proposes that the ICO can impose monetary penalties on data controllers for deliberate or reckless loss of data; inspect central government departments and public authorities’ compliance with the Data Protection Act without always requiring prior consent; require any person, where a warrant is being served, to provide information required to determine compliance with the Data Protection Act; impose a deadline and location for the provision of information necessary to assess compliance; publish guidance on when organisations should notify the ICO of breaches of the data protection principles; and publish a statutory data sharing code of practice to provide practical guidance on sharing personal data.
What Straw says
Jack Straw Justice Secretary said: ‘As new technologies have developed, the secure storage and careful sharing of personal information held by both the public and private sectors has become paramount. Strong regulation and clear guidance is essential if we are to ensure the effective protection of personal data.
‘The changes we propose will strengthen the Information Commissioner’s ability to enforce the Data Protection Act and improve the transparency and accountability of organisations dealing with personal information. This is very important if we are to regain public confidence in the handling and sharing of personal information. The Prime Minister and I are very grateful to Professor Mark Walport and Richard Thomas for all their work on the Review, from which these decisions flow.’
The Government also proposes revising the ICO’s funding structure for its work on data protection to a tiered fee structure based on size of organisation. This will replace the flat rate notification fee which has not changed since its original introduction in 1984. It will better reflect the level of work and provide additional funds for the ICO.
Today’s proposals follow a detailed consultation held by the Ministry of Justice on the Information Commissioner’s inspection powers and funding following recommendations in the Data Sharing Review published in July 2008. Legislation will be introduced as soon as parliamentary time allows.
ICO say
David Smith, Deputy Commissioner said: “We welcome the MoJ’s announcement that it will introduce legislation to provide significant new powers for the ICO. Protecting people’s personal details has never been more important and these new powers send a strong message that data protection must be taken seriously. We particularly welcome the government’s commitment to legislate to enable the ICO to inspect central government departments and other public sector bodies’ compliance with the Data Protection Act without always requiring consent. Subject to approval from Parliament, this new remit will enable us to work closely with these organisations to improve their compliance with the Act. We would have preferred to have this power to undertake audits extended to private sector organisations as well.
‘The commitment to increase the resources available to the ICO through the introduction of tiered notification fees should help enable us to carry out our extended duties properly. Provisions introduced earlier this year in the 2008 Criminal Justice and Immigration Act will enable the ICO to impose substantial fines on organisations where there is evidence of reckless or deliberate data protection breaches. We are working with the Ministry of Justice to ensure that we can make use of this power as soon as possible. ‘
