Privacy watchdog urges crack down on data breaches

ICO annual report outlines vast number of "unacceptable privacy breaches" during previous year

The Information Commissioner’s Office (ICO) launched its annual report today, with an urgent call for chief executives to prioritise protection of their customers’ sensitive data in response to a number of “unacceptable privacy breaches” during the past year.

Speaking at the launch of the report, information commissioner Richard Thomas said that organisations in the private and public sector needed to raise their game in the data protection stakes.

“Over the last year we have seen far too many careless and inexcusable breaches of people’s personal information,” Thomas argued. “The roll call of … organisations which have admitted serious security lapses is frankly horrifying.”

The report outlined a wide range of previous incidents to highlight the scale of the privacy problem, including Liverpool City Council being fined £300 in December 2006 for failure to comply with the Data Protection Act (DPA); and an investigation into high street banks such as Natwest and Barclays Bank, which revealed that customer data was being thrown away into rubbish bins outside the banks’ premises.

“How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms?” Thomas added.

Over the past year, the ICO has dealt with more than 23,000 written data protection enquiries and complaints.

The privacy watchdog is likely to use the information in the report as evidence of the need for stronger enforcement powers. Earlier this year, Thomas called for the automatic right to inspect and audit companies suspected of breaching DPA compliance. Currently this activity requires the organisation’s consent.

“The sheer weight of evidence supports the idea that the information commissioner needs stronger powers,” said Cliff Evans, ID management lead at consultancy Capgemini. “But more auditing work has an implication on resources. The ICO needs to communicate with organisations and make them more aware of their responsibilities.”

Evans added that more emphasis should be put on protecting paper documents. “Firms are applying the DPA to electronic data, but they need a reminder about the importance of controlling physical data access,” he argued.