Feeds

ICO slates local authorities on data protection compliance

Graham: You've been 'very bad'. Bend over

Choosing a cloud hosting partner with confidence

The Information Commissioner has called for the commencement of the custodial element of the section 55 offences and expressly criticised data protection compliance by local authorities as being “very bad”.

He also criticised data controllers, especially in banks and financial services, as being uncooperative in relation to consensual data protection audits. He also anticipates that agreement over the text of a forthcoming data protection directive will be protracted and will take “years”.

These points were made in a wide ranging questioning by the House of Commons Justice Select Committee at a hearing yesterday.

The Commissioner made an impassioned plea for Parliament and government to commence the custodial element of the section 55 offence in order to make sure the panoply of the legal penalties would be available to the courts. Currently, the Commissioner complained that because a fine was the only penalty that could be imposed, this meant that other non-custodial penalties were unavailable to the courts (eg, community service orders).

This emphasis on non-custodial sentences is politically adroit. First, it does not involve custodial sentences, as the government wants to reduce the prison population. Secondly, the Commissioner is reminding Parliament that it can separate the issue of generally strengthening the section 55 offence, from the specific Special Purpose problems which can be properly left to the Leveson Inquiry (into phone hacking by journalists).

The Commissioner also revealed that the government is thinking of making the section 55 offence a “recordable offence”. This would mean that anyone prosecuted under the Act would have an entry on the DNA database for their lifetime. The Commissioner also noted that even under the current arrangements, the fine is a maximum £5,000, the going rate is about £100 to £150 per offence. This level of fine, he stated, was no deterrent at all.

The Commissioner stated that he has no powers of audit except in limited circumstances and made a plea for a general power of inspection in circumstances where there was reasonable cause to believe that data protection compliance was deficient. Currently only one in five data controllers agree to a consensual audit; the Commissioner strongly suggested that the financial services sector would be a focus if such powers were granted.

The Commissioner expressly pointed to the offence involving a Barclays Bank employee. The offence deals with the Section 55 prosecution of a bank employee, married to a person prosecuted for a sexual offence. The perpetrator's spouse accessed the financial records of the victim to check on the victim's spending habits). In this context, he expressly regretted that private sector data controllers are "backwards in coming forward" to volunteer for a data protection audit. The Commissioner said he could not understand why the offer of a “free audit” was rejected by 80 per cent of data controllers; in the context of the high street banks, the Commissioner called this stance “short sighted”.

The Commissioner recommended that “mystery shoppers” should be employed, especially in the area of disclosure. So if your organisation is employing penetration testing in relation to its security compliance, it might be useful to check whether disclosure procedures form part of those tests.

In relation to the forthcoming new text of the Directive, the Commissioner:

  • expected it to be published in November or December;
  • used the term “Framework Directive” – this implies that there will not be a Regulation to implement any new data protection rules;
  • wanted a “principle based” approach – this would mean that in any new legislation, the Commissioner would have more flexibility in relation to interpretation and enforcement of those principles in the light of technological developments;
  • focused on the Accountability Principle as being especially important – this Principle would firmly embed data protection into information governance structures;
  • expected that it would contain a power of inspection and audit;
  • expected that the negotiations over the text would take “years”; and
  • is holding a conference in the Spring to engage with data protection stakeholders.

Links

See the ICO’s evidence session video here (first 30 mins deal with DP).

More on the Leveson Inquiry into hacking here.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Security for virtualized datacentres

More from The Register

next story
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.