services 
for business

 services 
for individuals


Associated Sites

Associated Services

 News  
 

ICO plans to name and shame organisations in breach Data Protection Act


A “name and shame” list which includes at least 11 leading financial and other organisations as being in breach of the Data Protection Act (“Act”) has been published by the Information Commissioner's Office.

Richard Fox, assistant at Leathes Prior, says “The action, taken after the ICO looked into complaints about how customers' information had been disposed of, is a serious reminder for organisations in all industries of the need for robust and effective information security measures to protect personal information.”

He goes on to mention: “The duty to take appropriate technical and organisational security measures to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data, is the one of the Eight Data Protection Principles and a mandatory requirement under the Act for data controllers who process personal data.”

The ICO claimed that these organisations breached the security principle of the DPA by unlawfully disposing of customer information in an insecure way.

One example cited was the disposal of customers' information simply by leaving it in rubbish bins outside their premises, thereby risking that their customer's personal and financial information might be intercepted by others and used fraudulently. The organisations highlighted have been made to sign formal undertakings to comply with the Data Protection Principles: if they then fail to meet the conditions of the undertaking, further enforcement action and ultimately prosecution could result.

Breach of any of the data protection principles can lead to the service of notices by the ICO, either in the form of information notices requiring the data processing entity to provide information about its data processing operations or enforcement notices requiring it to comply with the data protection principles.

The ICO also has at its disposal powers of entry, inspection and seizure of documents and equipment. Failure to comply with any of these notices can be a criminal offence but, aside from the legal consequences of breach, there is risk of significant reputational damage and loss of customer confidence.

Organisations should review their information security procedures. Possible measures include carrying out a review of existing administrative, physical and technical safeguards for protecting personal information, held in both paper and computerised form, as well as a review of the security of buildings and personal computing devices such as laptops and PDAs.

All workers who have access to personal information, whether computerised or paper based, should be suitably trained and aware of the requirements imposed by the Act, what they need to do to ensure the company's compliance, and what the consequences may be for the organisation and them personally if they do not follow procedures.

Other steps include avoiding capturing sensitive personal data in unsecure environments without protections such as encryption, or avoiding altogether the processing of data in an identifiable form where this is not necessary.

Mr Fox concludes that arrangements with all suppliers (ie, data processors as described by the Act) who may have access to your organisation's personal information should be considered. Have they given adequate assurances that they will protect the data, have they signed a written agreement agreeing to act only on your instructions and keep the information secure, and are you regularly monitoring their compliance with these obligations?

 

If you require advice on any of the above or guidance on what steps your business should take to ensure compliance with the act, please contact Richard Fox at Leathes Prior on 01603 281127. Richard is a commercial solicitor, who specialises in data protection compliance.

Back To News