The UK’s privacy watchdog is confident it will be granted yet more resources to enforce the Data Protection Act (DPA), and hopes to recruit staff so that it can provide IT advice to firms, as the fallout from the HMRC fiasco rolled on last week.

The Information Commissioner’s Office (ICO) has already been given new powers to carry out spot checks on government departments to ensure they are adhering to data protection procedures in light of the breach, and has called on the government to introduce stiff legal penalties for organisations that fail to safeguard sensitive data.

Speaking at the Inbox/Outbox email conference in London this week, Dave Evans of the ICO said the HMRC data loss and recent European Commission proposals may help to further raise the profile of the organisation and the issues it deals with.
“After last week’s [data breach] there may be a change in [government attitude] when we beg for the right staff,” he said. “We aren’t IT experts so we don’t have the experience to tell people what to do at the moment.”

The European Commission recently said that certain countries, including the UK, have not been effective enough at enforcing data protection legislation, and Evans argued that this situation could see the ICO being given greater powers in future.
“We are pleading for more resources to enforce [the DPA],” he said. “Often, enforcement action can take 12 months to carry out, which doesn’t stop some people doing what they were doing.”

Evans also warned firms monitoring staff email usage that they run the risk of breaching privacy rules if they are not transparent about what they are doing. He encouraged firms to contact the ICO if they think any initiative may raise legal concerns. “It’s important to ask yourself before embarking on anything, ‘Would this person be horrified if they found out what you were doing?’” Evans added. “We’d rather you check with us first before things go wrong.”

Jerry Fishenden, Microsoft national technology officer, argued that more audits would be welcome “provided they are done in the right way and organisations see them less as a threat and more as something to be valued”.

Geoff Donson, group security manager at Telecity and formerly of the National Hi-Tech Crime Unit, agreed there is a need for auditing but also called for financial penalties in the case of private sector breaches.

“[Organisations] have to be audited but what happens when things aren’t as they should be?” Donson said. “At that point you have to look at penalties, but I accept it’s very difficult in the public sector.”