 |
|
Richard Thomas is the Information Commissioner appointed by the Queen to be the independent supervisory authority for the Data Protection Act, the Privacy and Electronic Communication Regulations, the Freedom of Information Act and the Environmental Regulations.
Richard Thomas shares his thoughts exclusively with Infosecurity Europe on the latest findings in the ICO annual report released earlier this month which called for chief executives to prioritise protection of their customers' sensitive data.
|
Can you give us a brief summary of the report?
My Office is responsible for enforcing the Freedom of Information Act and the Data Protection Act. Over the last year these two strands of our work have repeatedly set the news agenda and featured heavily in Parliament and in public discussion. The annual report gives an overview of some of this work and highlights some of our achievements over the past 12 months. At the ICO, we have had a very successful year. We have handled unprecedented caseloads and issued a steady stream of well respected freedom of information decision notices. We have shown our regulatory teeth with successful prosecutions and enforcement action and produced hard hitting reports on the pernicious illegal trade in personal information. We have also started a national debate on surveillance issues and this has led to two select committees launching inquiries on the subject.
You describe yourself as horrified by recent security breaches. What in particular, horrifies you?
Over the last year we have seen far too many careless and inexcusable security breaches involving people’s personal information. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is, as I stated at the launch of my annual report, frankly horrifying. People must be able to have confidence that their personal information is secure.
My Office - the ICO - takes these breaches very seriously and, over the past year, we have taken action against a number of organisations which have put their customers at risk by not protecting their personal information effectively. We recently found 12 banks and financial institutions in breach of the Data Protection Act following the careless disposal of customers’ personal information. We ordered the organisations to sign legal undertakings to ensure future compliance with the Act.
And only a few weeks ago we ordered Orange and Littlewoods to sign undertakings following failings to process customer information in compliance with the Data Protection Act.
Are the current penalties sufficient for organisations that either deliberately misuse, or fail to protect, personal data?
Where there is evidence of serious non-compliance with the Data Protection Act my Office does not hesitate to take action. I have powers to use against organisations in breach of the Act. I can issue enforcement notices that require them to change their practices and, in some cases, my office can, and does, prosecute. We have prosecuted 16 organisations in the past year including private detective agencies for blagging personal information and Liverpool City Council for failing to co-operate with one of our formal investigations. Ultimately an organisation in breach of the Act can be fined by the courts.
However I have made no secret of the fact that I would like additional powers. It would undoubtedly concentrate minds if fines could be imposed by the courts on organisations that deliberately or recklessly cause harm by failing to meet their data protection obligations.
It is though important to remember that organisations which fail to protect personal information risk losing the trust of their customers and also risk jeopardising their reputation. This is a penalty in itself. For all organisations maintaining trust and reputation is essential. Business and political leaders should ensure their organisation is not one of the few that fails to take information rights seriously.
Can limiting the amount of electronic information being held about people mitigate this issue - and how could this be affected?
Never before has personal information been so valuable.
More and more information is being collected about us and therefore the risks of inaccurate and out of date information or mistaken or stolen identity increase. As we go about our daily lives we now leave an electronic footprint everywhere we go, for example, when we log into our computers at work, use an Oyster card or make a call on a mobile phone.
There are obvious benefits to collecting and sharing personal information such as improving public services or helping to prevent crime but this is not an excuse for collecting excessive personal information or keeping it for ever. Data minimisation – only collecting and keeping what is really necessary – is a key element of reducing data protection risk. Organisations should also adopt other privacy friendly approaches, for example anonymising data wherever possible and using encryption to protect sensitive details.
How can you encourage companies to disclose more information about security failures?
Many organisations already alert the ICO to security breaches and provide details of the steps taken to ensure that personal information will be sufficiently protected in the future. Where customers’ privacy is affected and they can do something to protect themselves they should be told. However routine disclosure of security breaches is not a legal requirement in the UK, as it now is in much of the US. There may be a case for changing the law in the UK to require more disclosure but it is important to get the balance right between the need to keep individuals informed and the risks of alarming them unnecessarily or imposing disproportionate burdens on businesses.
However business and public sector leaders must take their data protection obligations more seriously. The majority of organisations process personal information appropriately – but privacy and security must be given more priority in every UK boardroom.
Weighing up the gains to be made from stealing and trading personal information, against the realistic chance of successful prosecution and the potential fines - where would you say the balance of power is right now?
My Office has successfully prosecuted many businesses and individuals involved in the illegal buying and selling of personal information. However, in some cases I have been disappointed by the low fines handed out. Some of those involved in this illegal trade make a living out of it. The prospect of a fine is not always a sufficient deterrent. Last year I called for a custodial sentence for individuals convicted of illegally buying or selling personal information. I am delighted that the Criminal Justice and Immigration Bill, which the Government recently introduced, contains provisions for a prison sentence of up to two years for those involved in this illegal trade. I am confident that the possibility of a custodial sentence will act as a real deterrent in the future.
We are talking about a global problem- how enforceable is any legislation or code of practice on an international platform?
Earlier this year, at a conference in Washington I highlighted the need for the international community to do global privacy better and called for further debate on this issue. There would be clear benefits in a more harmonised and consistent world-wide approach to protecting people’s personal information and regulating privacy breaches.
We can no longer go on with different privacy controls in different parts of the world. Inconsistencies cause unnecessary confusion and complexity, increased costs and reduced consumer trust and confidence.
There are though promising signs of emerging common ground between the United States and the European Union. For example, there is already considerable support for a global privacy standard which includes the need for genuine consent to be obtained for the collection, use or disclosure of personal information, a duty of care for personal information and limitations on use and retention. There are also welcome developments in international co-operation in data protection enforcement facilitated by bodies such as the Organisation for Economic Co-operation and Development (OECD).
