IT in dark over data protection

Firms need more guidance on how to protect electronic information to avoid penalties under data protection laws, according to security experts.

Systems integrator Prime Business Solutions last week called for further guidance from the government's Information Commission to help firms comply with the Data Protection Act. The company said that under the act, data controllers are obliged to take "appropriate technical or organisational measures to prevent the unauthorised or unlawful processing, or disclosure of data".

However, it said there is no clear advice on what constitutes "appropriate measures". Instead the government directs firms towards complicated industry standards such as BS7799.

Chris Gabriel, security director at Prime Business Solutions, said IT managers are being left in uncertainty. "It's not fair to tell companies to take appropriate measures to protect systems, and then not tell them what the measures are," he said. "The Information Commission should get together with an organisation such as the CESG (the UK government's information assurance arm) to come out with more solid guidance, as it's the companies that could face prosecution."

But David Clancy, policy manager at the Information Commission, said his organisation is reluctant to recommend particular solutions. "We cannot recommend one technology as in two months time it might be out of date," he said. "If it is highly sensitive information we would expect it to be protected by the most up-to-date tools. But if it is accessible through things such as public registers then it would not need such protection."

Have your say: reply to IT Week