|
In early May 2008, the Criminal Justice and Immigration Act received
Royal Assent indicating that the Information Commissioner’s
Office (ICO) can now enforce stricter sanctions on all organisations,
not just highly regulated firms such as financial institutions.
It is believed that strengthening the laws of the Data Protection
Act will have a positive impact on the way organisations handle
data and work towards keeping client information at a top level
of privacy.
The new legislation allows the ICO to have the power to independently
impose fines on firms who deliberately or recklessly breach security
laws under the Data Protection Act of 1998. This means that an organisation,
if found to be guilty of breaching data confidentialities, can be
accused following an independent review from the ICO (the ‘privacy
watchdog’).
The Deputy Information Commissioner, David Smith, cites that the
law change emphasises the importance of compliance with the 8 main
principles of the Data Protection Act. He believes it highlights
the fact that it is completely unacceptable to have an ad-hoc approach
when it comes to handling personal client information.
The change in the legislation gives the ICO more power to be able
to carry out random and unannounced audits in order to check the
data protection performance within an organisation.
It is believed that the changes made have come about due to growing
concerns from a number of bodies and from individuals surrounding
recent security and data breaches which have occurred in the UK.
The ICO strongly believe that the new legislation will reinforce
to individuals that organisations are keeping their data secure
and it will hopefully increase consumer and client confidence.
ITC would like to take this opportunity to inform all our clients
that we make the utmost effort to ensure complete compliance with
all data protection laws. We have researched the recent legislation
changes which occurred in early May and taken them into account.
It is clear that the role of the ICO has been strengthened with
respect to personal data protection within organisations, so the
8 principles of the Data Protection Act are being more heavily imposed
within organisations.
We would like to assure all our clients that we are 100% in accordance
with the Data Protection Act and have gone to every effort to ensure
complete confidentiality of all client data.
Example
HMRC security breach:
In November 2007, the government reported that personal records
of around 25 million people in the UK had been ‘lost’
in the post. The records were specifically related to child benefit
payment data and so included names, address and dates of birth as
well as private bank details. It was later discovered that neither
of the 2 discs carrying the information of these 25 million individuals
had been encrypted. This goes against the Data protection Act, in
particular principle 7, that “organisational measures shall
be taken…against accidental loss…to personal data”.
It is as a result of incidents like this that the ICO have pushed
for the recent change in legislation, with the goal of making organisations
take the principles of the Data Protection Act more seriously. If
they are not taken more seriously, then the consequences are evident
– a substantial loss in consumer confidence, reputation and
perhaps even fiscal losses.
|
