Updated: ICO offers advice to businesses handling data

The Information Commissioners Office has called for firms to consider the privacy of individuals before installing, or developing new IT systems.

At a conference in Manchester the organisation, the UK government's data watchdog, described last month's data losses at HMRC as a watershed moment in privacy, and added that in order to reduce the risk of similar incidents firms should implement safeguards to protect data. To support this it has launched a guide to help firms better manage data, and also, to give individuals more confidence in their ability to protect privacy. This is called the Privacy Impact Assessment handbook.

The handbook is designed to suit all organizations, regardless of their size, and thus is quite lengthy. However, it is broken down into relevant areas, and suggests that firms only carry out an assessment if they are implementing tools and systems that have an impact on the privacy of individuals. It adds. "While it is necessary to ensure compliance with privacy laws, there is no obligation to undertake a PIA."

It suggests that firms take a PIA to ensure that they avoid the loss of trust and reputation, to identify and manage risks, to avoid later costs, and to help meet, and exceed their legal requirements. Company directors and senior executives are warned that ultimately they are responsible for ensuring that risks are identified, assessed and managed.

With pushes for stronger legislation happening almost constantly, firms would be advised to carry out such an assessment, if only to ensure their partners, and customers, that their data was looked after in an appropriate manner.

The handbook contains a list of questions for firms to consider, starting with, "Does the project involve new, or inherently privacy-intensive, technologies?" The ICO suggests that these would include smart cards, biometrics, RFID tags, data mining, and the logging of electronic traffic. It then asks, whether the privacy implications of these are well understood by the business, and indeed the public.

Further questions are designed to help firms get a better understanding of their system and its implications on privacy, and data protection. Where firms handle a lot of data, so they should pay more attention to their systems, and their compliance with relevant regulations.