But is it time for the ICO to take a tougher stance?
Large private sector companies are lagging behind their public sector counterparts when it comes to data protection knowledge, according to new research from the Information Commissioner’s Office (ICO).
Just under half of private sector firms quizzed said, without prompting, that they should store personal information securely, compared to 60% of public sector organisations. Awareness overall about the Data Protection Act has increased over the last year but those levels are still higher in the public sector than among private sector organisations.
Awareness is also on the rise for members of the public. Over 90% of individuals ranked ‘protecting personal information’ as a socially important issue, with only ‘preventing crime’ higher on the list. Nine in ten people are aware of their right to be able to see any information that a company or an organisation holds about them, up 15% since 2004.
"A strong awareness of data protection obligations is of fundamental importance to any organisation. Businesses need to show they are taking data protection seriously. Failing to do so could not only lead to enforcement action, it could also do significant damage to their reputation," said Information Commissioner Christopher Graham.
Chris McIntosh, CEO of encryption firm Stonewood was less impressed with the results. "It’s shocking to hear that over half of private businesses still haven’t got a grasp of the Data Protection Act. This suggests that the ‘it will never happen to me’ approach is still in full force, despite estimates for the number of data loss victims in 2010 reaching over 100 million," he said.
"Businesses need to reflect on the consequences of this failure to understand the DPA, as they hold copious amounts of valuable personal data. In fact the average monetary value alone of data contained on a laptop is half a million pounds. Beyond this, businesses can and have lost large contracts as a result of data loss. Leaving personal data unencrypted on a laptop or USB drive is completely irresponsible – not to mention in breach of the DPA – and the implications include prosecution, loss of customers and ultimately the failure of a business," McIntosh added.
He added that it’s time the ICO started handing out fines for data breaches. "To deal with this attitude, the ICO really needs to stick with its promises and finally start levelling appropriate fines. When it comes to securing personal data it’s obvious that actions say more than a thousand words."
The ICO has faced severe criticism this week for its handling of the Google Wi-Fi snooping revelations, when the search giant admitted that its Street View cards mistakenly collected personal data, including full emails and passwords, when mapping cities around the UK and the rest of the world.
A letter signed by Privacy International, NO2ID, Big Brother Watch, Action on Rights for Children and the Open Rights Group, said the ICO has "completed a full reversal of its position… In our view the ICO is incapable of fulfilling its mandate. The Google incident has compromised the integrity of the Office. We can think of very few substantial privacy issues over the past ten years that the ICO has championed. In most cases the Office has become part of the problem by either ignoring those issues or by issuing bizarre and destructive rulings that justify surveillance rather than protecting privacy."