The Information Commissioners Office finally finds its teeth

The Information Commissioners Office finally finds its teeth



By Robin Whitlock

www.millhousedata.com





The Information Commissioner’s Office (ICO) has finally used powers awarded to it in April to fine organisations for breaching the Data Protection Act, among them Hertfordshire County Council and A4E, the employment services company. A4E was fined for the loss of an unencrypted laptop which contained personal information belonging to some 24,000 clients of legal advice centres in Hull and Leicester. The laptop belonged to an A4E employee and was stolen from his home in June. The Hertfordshire County Council fine relates to an incident in which council employees faxed sensitive information to the wrong address. One of the faxes concerned a child sex abuse case.

The ICO is an independent body established to protect information rights in the UK in the public interest. It has a wide remit which includes upholding the right to freedom of information and enforcement of the Data Protection Act. It also oversees the Environmental Information Regulations and the Privacy and Electric Communications Regulations. It has attracted considerable criticism thus far particularly for its refusal to fine Google for its capture of data from unsecured wireless networks during the computer corporation’s development of its ‘street view’ facility. The ICO responded to Google’s behaviour by merely requesting written assurance that such data capture would not happen again along with a requirement to conduct an ICO audit. Privacy advocates including NO2ID and Big Brother Watch were quick to complain stating that the ICO’s lax response was "the latest episode in a litany of regulatory failure that brings disrepute on the Commissioner's Office and which calls into question whether the ICO is fit for purpose", however the ICO remarked in its defence that it would have been difficult to prove in this case that the incident had caused "substantial harm or substantial distress".

The ICO can levy fines of up to £500,000 for a ‘deliberate or malicious data breach’ and according to Dan Raywood writing in SC Magazine, this has led to organisations taking the issue of data protection far more seriously. Neil Stephenson, CEO of the Onyx Group, told Raywood that the establishment of the ICO had caused a ‘mad rush’ from organisations to ensure that data was as secure as possible. "Securing data is key" Stephenson said. "Critical to this is the need for companies to review their data management systems. Investing in a robust system is vital but in order to truly secure data effectively reliable management systems need to be put in place internally". The Onyx Group recommends stiff enforcement of internal practices and regulations alongside investment in encryption software.

As a result of the establishment of the ICO, acquisition of Data Loss Prevention (DLP) software appears to have increased. James Lyne, senior technologist at Sophos, said that "the new powers and the focus on data loss prevention has certainly driven more for us, we have customers coming back and asking about DLP."