In a glaring breach of Data Protection Act compliance last November, two CDs holding the names, addresses and bank account information of 7.5 million families were lost by HM Revenue & Customs. Politicians demanded to know how the agency could so glaringly flout the Data Protection Act 1998 by sending the unencrypted discs via courier. The answer, it turns out, is quite simple. The Data Protection Act 1998, which governs how organisations in the UK must handle personal data, is rarely enforced and often ignored. But that may change in the wake of such serious breaches.
Data Protection Act 1998: Can the ICO ensure compliance?
The Data Protection Act 1998 requires organizations to protect the reams of consumer data they collect and use. It requires them to not only employ state-of-the-art security technology and procedures, but to track where data is stored, who has access to it and how it is being used. It forbids personal information to be used for any purpose other than that for which it was gathered. To comply with the Data Protection Act, businesses that are not already employing sound security and auditing procedures need to invest in technology, personnel and educate staff on how to handle customer data.
But Data Protection Act compliance is not at the top of the list for many companies because the Information Commissioner's Office (ICO) -- the government agency in charge of policing compliance with the Data Protection Act 1998 -- is ill-equipped to enforce the law, said Alan Calder CEO of consulting firm IT Governance. "The reality is that the Information Commissioner's Office has little in the way of resources to ensure compliance," he said. "The vast majority of organisations do little to comply with the principles of the act."
ICO spokesperson Helen Ketton said the office is not authorized to fine companies that violate the Data Protection Act 1998. Instead, it prosecutes and the court determines the fine (which is currently capped at £5,000). But even then the office has rarely prosecuted businesses for violating the act. In 2006/2007, the ICO prosecuted 11 cases, the majority of which involved individuals trafficking in stolen data. No individual fine was greater than £300.
To help beef-up penalties, the office has begun requiring businesses that have been exposed for severe breaches to tell the ICO how they plan to remedy data security. Should breaches occur again, those businesses will be faced with a government audit, an important deterrent as no business wants a government auditor looking over their shoulder, according to Bridget Treacy, a partner with the London-based law firm Hunton & Williams.
For many businesses, compliance boils down to a cost-benefit analysis. Compliance can cost millions of pounds, require the appointment of executive-level data privacy experts, and involve reworking software and procedures, something that many businesses are loathe to do given the paltry fines. "Some solicitors advise clients that if the fine is £5,000 but it takes £100,000 to comply, take the fine," said Robin Hollington, director of consulting services in the London offices of Peapod Consulting. "But those firms are not taking into account the damage to their reputations. The ramifications for getting this wrong can be huge."
The new push for data privacy
Indeed, some major firms have found their failings splashed across the headlines. On March 11, 2007, the Royal Bank of Scotland, NatWest and Barclays Bank were found to have been dumping customer data in bins outside of their branches. Mobile phone carrier Orange was reprimanded earlier this year. All were formally required to improve security procedures and compliance, but none of them have been prosecuted by the ICO.
But some businesses do take data privacy very seriously, not only because of the law, but because it is necessary for business. The mobile phone industry, for one, needs to be trusted by its customers because they handle so much sensitive information, said Amanda Chandler, data protection manager at wireless carrier Vodafone Group Plc.
At Vodafone Group, product managers must show how their projects comply with the law to get funding for the next stage of development. Every program in the company has to consider the lifecycle of the data it gathers, why it is holding it, where it is traveling and when it can destroy data, she said. These decisions are not only driven by concern for the law, but by business success, something Chandler said is much more effective. "The leverage to persuade people to do the right thing is in helping them meet their commercial interest rather than frightening them with legislation," she noted.
Sarbanes-Oxley Act and PCI DSS security standards
Many other organizations have been forced to tighten their data protection by legislation other than the Data Protection Act 1998 and even by industry standards, said Mike Weider, chief technology officer at Watchfire, an IBM-owned firm that provides compliance screening applications for websites. Those that are listed on stock exchanges in the United States must take heed of the Sarbanes-Oxley Act, which includes security-related provisions and is taken very seriously because of the severe penalties that can be imposed on directors. BASEL II has had a similar effect on financial institutions doing business in the European Union.
The payment card industry has enacted its own security standard, the Payment Card Industry Data Security Standard (PCI DSS), which applies to any business that accepts credit or debit cards. These PCI standards have been very effective, Weider said. "PCI has gotten people hopping faster than these compliance issues. Not only do they need to comply, but they need an annual audit done. It forces companies to get their act together."
Those companies that have been apathetic about data privacy may be in for a shock. The government has been talking about getting serious about enforcing Data Protection Act compliance. In November, information commissioner Richard Thomas asked the Ministry of Justice to make knowingly and recklessly violating the act a criminal offence.
The change, should it go through, could create a dramatic challenge for the security industry here. According to Watchfire's Weider, 80% of the websites his firm tests have problems. And, as Vodafone Group's Chandler points out, security is always more expensive to implement retroactively.
Educating IT and other departments
Those changes may seem straightforward enough, but they require businesses to be proactive about their security and, more importantly, they require IT departments to understand that personal information is different from the other data they deal with on a day-to-day basis, said Pauline Brace, principal consultant at Peapod Consulting. They need to be able to find data on individuals, keep it up to date and ensure data does not go to third parties unless those organizations have sufficient security measures.
Peapod Consulting actually audits the security measures its clients' vendors have implemented before they can pass data to that vendor. Under most circumstances, IT departments cannot test applications using production data because it wasn't gathered for that purpose. To comply, businesses need to think about everyone who touches personal information and how it moves through IT systems.
"At the end of the day, organizations must appoint someone to worry about this," Brice said. "The key to success is establishing a common language between IT and other departments. A huge amount of education needs to be done."