CEOs urged to raise their game following unacceptable privacy breaches
The Information Commissioner is today calling on UK chief executives to take the security of employees’ and customers’ personal information more seriously. His call follows a number of unacceptable security breaches over the last year, involving leading names such as Orange and several high street banks.
Speaking at the launch of his annual report in London, Richard Thomas, the Information Commissioner, said: ‘Over the last year we have seen far too many careless and inexcusable breaches of people’s personal information. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying.
‘How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?’
The Information Commissioner added: ‘Business and public sector leaders must take their data protection obligations more seriously. The majority of organisations process personal information appropriately – but privacy must be given more priority in every UK boardroom. Organisations that fail to process personal information in line with the Principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers.’
The public’s awareness of data protection rights has risen to an all-time high of 82% and more and more people understand that personal information must be handled appropriately. To ensure personal information stays private, the Information Commissioner has called for stronger audit and inspection powers for his Office. Currently the ICO can only audit organisations’ information handling practices with their consent. The Commissioner wants the right to inspect and audit practices where poor practice is suspected.
The Information Commissioner’s annual report highlights that the ICO received almost 24,000 enquiries and complaints concerning personal information in 2006/7. The ICO has prosecuted 16 individuals and organisations in the last 12 months and two Parliamentary inquiries have started following the Commissioner’s call for a debate on the UK’s ‘surveillance society’.
The ICO has now received almost 6,000 complaints under the Freedom of Information Act and has closed over 75% of those. Following changes within the ICO 82% more decision notices were issued in 2006/7 than in the previous 12 months. The ICO has issued over 339 decision notices in 2006/7 – 26% of the Commissioner’s rulings upheld the initial decision by the public authority while 39% of decision notices issued by the ICO ruled in favour of the complainant. In 35% of cases the Commissioner upheld some elements of the complaint in favour of the complainant and agreed with the public authority on others.