Victoria Judge of Gotelee & Goldsmith explains how the Information Commissioner is stepping up the pressure on organisations breaking the Data Protection Act.
Victoria Judge of Gotelee & Goldsmith explains how the Information Commissioner is stepping up the pressure on organisations breaking the Data Protection Act.
FOLLOWING the results of an investigation by the European Commission, which found that the UK's privacy laws are “woefully inadequate”, the British Standards Institution (BSI) has reported that close to one in five businesses has at least once unwittingly breached the Data Protection Act, with nearly half of these admitting to doing so on more than one occasion.
A breach generally means breaching one of the eight principles of data protection. Do you know what they are? In summary, data should be:
n Fairly and lawfully processed;
n Processed for limited purposes;
n Adequate, relevant and not excessive for those purposes;
n Accurate;
n Kept for no longer than is necessary;
n Processed in line with the rights of the individuals to which the data relates;
n Afforded an appropriate level of security; and
n Not transferred outside of the European Economic Area to a country with inadequate privacy laws.
You might be surprised to learn that theft of equipment which holds personal data may be a breach. Recently a council was in breach because a password protected laptop was stolen from a locked room. The laptop was not encrypted and because of this there was an inadequate level of security.
You may think, so what if I breach data protection legislation? I'll only be given a slap on the wrist and told to get it right in future. That's what happened to HM Revenue & Customs and it lost millions of records.
It is true that, historically, the Information Commissioner (the UK body responsible for enforcing the UK data protection laws) has been seen as a bit of a toothless tiger. This is because at the moment it cannot impose an immediate fine for a breach of the principles of data protection. However, that is set to change.
From April next year, the Information Commissioner has announced that it will be able to issue fines for knowing or reckless breaches of the principles of data protection. So, if you know that your data practices are inadequate or simply don't care, time is running out! It is sensible to audit your data protection practices and policies to make sure that your organisation complies with the principles of data protection.
Mike Law, director of standards at BSI, said: “The five million small and medium-sized businesses in the UK are handling vast amounts of personal information on a daily basis. While it is encouraging that some already have appropriate data protection measures in place, our survey shows that there is still a long way to go.”
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here