The Office of the Information Commissioner (ICO) today called on UK chief executives to take the security of employees’ and customers’ personal information more seriously.
His call follows a number of what he terms as "unacceptable" security breaches over the last year, involving leading names such as Orange and several high street banks including Nationwide, who was fined nearly £1 million by the Financial Services Authority (FSA) .
Speaking at the launch of his annual report in London, Richard Thomas, the Information Commissioner, said the UK has seen far too many careless and inexcusable breaches of people’s personal information. “The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying,” he said.
Thomas asked: “How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?”
The Information Commissioner also called on business and public sector leaders to take their data protection obligations more seriously. “The majority of organisations process personal information appropriately – but privacy must be given more priority in every UK boardroom,” said Thomas. “Organisations that fail to process personal information in line with the Principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers.”
The public’s awareness of data protection rights has risen to an all-time high of 82% and more and more people understand that personal information must be handled appropriately. To ensure personal information stays private, the Information Commissioner has called for stronger audit and inspection powers for his Office. Currently the ICO can only audit organisations’ information handling practices with their consent. The Commissioner wants the right to inspect and audit practices where poor practice is suspected.
The Information Commissioner’s annual report highlights that the ICO received almost 24,000 enquiries and complaints concerning personal information in 2006/7. The ICO has prosecuted 16 individuals and organisations in the last 12 months and two Parliamentary inquiries have started following the Commissioner’s call for a debate on the UK’s ‘surveillance society’.
The ICO reported that it has now received almost 6,000 complaints under the Freedom of Information Act and has closed over 75% of those. Following changes within the ICO, 339 formal decision notices were served in 2006/7 – an increase of over 82% from the previous year.
The ICO also issued over 600 decision notices – 30% of the Commissioner’s rulings upheld the initial decision by the public authority while 38% of decision notices issued by the ICO ruled in favour of the complainant. In 32% of cases the Commissioner upheld some elements of the complaint in favour of the complainant and agreed with the public authority on others.