July 11 2007

Information Commissioner rules on privacy breaches

The Information Commissioner is calling on UK chief executives to take the security of employees' and customers' personal information more seriously. His call follows a number of unacceptable security breaches over the last year, involving leading names such as Orange, several high street banks and Littlewoods Home Shopping.

Speaking at the launch of his annual report, Richard Thomas, the Information Commissioner comments: "Over the last year we have seen far too many careless and inexcusable breaches of people's personal information. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying.

"How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others' forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags? "Business and public sector leaders must take their data protection obligations more seriously. The majority of organisations process personal information appropriately - but privacy must be given more priority in every UK boardroom. Organisations that fail to process personal information in line with the Principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers."

Over the year, the ICO found Alliance & Leicester, Barclays Bank, Clydesdale Bank, Co-operative Bank, HBOS, HFC Bank, Nationwide Building Society, NatWest, Royal Bank of Scotland, Scarborough Building Society, The Post Office and United National Bank in breach of the Data Protection Act.

Orange Personal Communications Services Ltd and Littlewoods Home Shopping were also found to be in breach of the Data Protection Act following separate investigations.

The ICO received a complaint regarding the way in which Orange processed personal information, and in particular the way in which new members of staff were allowed to share user names and passwords when accessing the company IT system. Following its investigation, the ICO found that Orange was not keeping its customers' personal information secure and therefore was in breach of the Data Protection Act.

In a separate investigation, the ICO ruled that Littlewoods had failed to process customers' data in line with the Data Protection Act. This follows a customer's attempt to stop the company using her personal data for direct marketing purposes. Despite her requests Littlewoods continued to send her marketing materials.

The ICO has now required these organisations to sign a formal undertaking to comply with the Principles of the Data Protection Act. Failure to meet the conditions of the undertaking is likely to lead to further enforcement action by the ICO and could result in prosecution.

To ensure personal information stays private, the Information Commissioner has called for stronger audit and inspection powers for his Office. Currently the ICO can only audit organisations' information handling practices with their consent. The Commissioner wants the right to inspect and audit practices where poor practice is suspected.

During 2006/07, the ICO: