The Information Commissioner’s annual report this month highlighted that many companies and public sector departments are still not taking the Data Protection Act (DPA) seriously enough, despite the law being in force for almost nine years.

The past year has been particularly bad for data protection. With an increasing amount of personal information being held online or on easily portable devices, the potential for data to go missing is on the rise.

‘The roll-call of banks, retailers, government departments, public bodies and other organisations that have admitted serious security lapses is horrifying,’ said Information Commissioner Richard Thomas on the release of the report.

The Financial Services Authority (FSA) fined Nationwide £980,000 in February for failing to manage its information security risks after a laptop containing customer details was stolen.

In March, the Information Commissioner forced 11 banks and financial institutions to sign an undertaking to stick to the principles laid down in the DPA, after they were found to have discarded customer information in waste bins outside premises.

A month later a breach in the government’s Medical Training Application Service web site was found to be exposing doctors’ personal information to other users. The Department of Health is investigating the security lapse.

And an online UK visa application web site for people in India, Russia and Nigeria provided by VFS Global was found to be exposing applicants’ details.

Most recently, Orange was criticised by the Information Commissioner for allowing staff to share passwords and have potential access to customer data. Littlewoods was also singled out for sending unsolicited emails.

Each of these cases highlight simple mistakes that organisations have made in data protection; problems that can be remedied easily.

At Nationwide, the company was not fined for the information that was lost, but because it was not aware the laptop contained confidential customer details and did not start an investigation until three weeks after the theft. The FSA advised Nationwide to improve internal controls so it is aware of where customer information is situated and who has access to it.

Along with staff education, this is the first rule of data protection, says Louise Townsend, data protection expert at law firm Pinsent Masons.

‘You’re supposed to have not just technical measures but organisational measures on the control of information. A lot of times it might be that the organisation has these measures but it hasn’t filtered down to all the employees because of a lack of education,’ she said.

The Nationwide laptop was encrypted, and this should be standard practice.

The banks that discarded customer information in waste bins had a similar problem. Most had data protection controls in place, but whoever threw out the information was unaware of them.

The DPA does not require businesses to educate its staff, so companies should look for specific guides elsewhere, says Townsend.

‘The legislation is vague on specific measures businesses can take. Industries will have best practice guidelines on how to treat information. If you’re a large financial organisation there will be more stringent regulations than a small business with a small customer list,’ she said.

The Medical Training Application Service and visa web site breaches highlight a different problem – checking the security measures of a third party or outsourcing provider.

Outsourcing contracts are often not vetted for fear it will veto the deal, leading to a lack of responsibility for the data protection policies of s uppliers.

‘When you work with an external company it’s important you perform a check on their probity and their professionals when it comes to data protection. You can get in trouble if a company you work with abuses those rules,’ said John Wright, national chairman of the Federation of Small Businesses. The rules are particularly important when offshoring, where some countries have no data protection laws and no privacy culture.

The Littlewoods and Orange cases teach two more important, easily forgotten rules on data protection, according to Gartner analyst Arabella Hallawell.

‘Littlewoods was criticised for sending unsolicited emails. Companies must make sure they have a customer’s consent before emailing. This is one of the most frequent breaches of data protection and often ignored,’ she said.

Orange allowed new staff to share passwords, which means an employee might have access to information they should not. It also makes an audit trail much more difficult to follow.

‘This is one of the most basic security measures: don’t share passwords and don’t let staff fall into poor password practices. Businesses should strongly consider two-factor authentication to start an employee PC and to access data,’ said Hallawell.

‘Our research shows that all businesses that spend money on security measures will save when the cost is compared to the fines and bad publicity associated with breaches.’

Best practice: data protection

The Information Commissioner lays out eight good practice principles for data protection.

All personal data should be:

 Fairly and lawfully processed

 Processed for limited purposes

 Adequate, relevant and not excessive

 Accurate and up-to-date

 Not kept for longer than is necessary

 Processed in line with your rights

 Secure

 Not transferred to other countries without
 adequate protection

Visit www.ico.gov.uk for more details