Feeds

ICO to 'focus' on health sector when enforcing info rights

A breach too far?

High performance access to file storage

The Information Commissioner's Office (ICO) is to give "particular regulatory attention" to health organisations as it focuses on areas most likely to result in damage to people's information rights, the watchdog has said.

The ICO, which ensures compliance with UK data protection, e-privacy and freedom of information laws, announced the priority as part of a new information rights strategy. Other areas the ICO will focus its attention on are credit and finance, criminal justice, internet and mobile services and security, the strategy said.

The ICO said that it is impossible to "address all risks to the upholding of information rights equally". It said it would make choices about the cases it would take enforcement action in based on the benefits it perceives could be achieved by doing so.

"We cannot address all risks to the upholding of information rights equally nor should we attempt to do so," the ICO said in its information rights strategy (17-page / 303KB PDF). "We will make choices where we can whilst acknowledging that the legislative framework imposes certain obligations on us particularly in relation to our casework."

"We have to recognise that there is a legitimate expectation that we will enforce the law, that the decisions we take will be robust ones and that we have to provide good customer service but this does not mean that we cannot make choices," it said. "Our choices will be driven by the external outcomes we are seeking – how can we deploy our effort and the effort of those we regulate in a way that makes the maximum long term and sustained contribution to the outcomes we are seeking and does not just provide short term fixes? Put simply – how do we deliver best value for money in the upholding of information rights?"

When choosing the cases to pursue the ICO will "take account of factors such as the volume, nature and sensitivity of information involved and the number of people whose information rights might be impacted on in any situation".

The ICO also said it would weigh-up the issues that are in the public interest when prioritising its workload. The watchdog said it would take into account the importance the public places on "different aspects of information rights" and said it was prepared to adopt positions that are not "universally popular".

"We take the view that sometimes the public interest will be best served by us acting to protect the information rights of minorities or by us drawing attention to the downsides of new developments that might otherwise appear attractive," the ICO's strategy said.

Decisions on ICO intervention will also be assessed on how likely that action is "to make a real difference" where the aim will be to get "as big a return in furthering delivery of our desired outcomes as is possible for the resources we and those we regulate invest," the watchdog said. The ICO will be pro-active in attempting to prevent breaches of information rights from occurring rather than devoting resources to a "cure" when breaches happen.

"Education, awareness raising and the provision of guidance are therefore key activities for us," the strategy said.

The ICO said it would look for opportunities to "defend or promote" rights concerned with information in the public sector where bodies are supposed to be "open and accountable" with how they spend public money and in their decision making.

Priorities will "inevitably" be determined by "element of subjective judgement involved in the assessment of information rights risks" but this judgement will be based "as far as possible" on "evidence, analysis and experience," the ICO said.

The ICO said it was committed to ensuring its activities were conducted transparently, proportionately, consistently and on a targeted basis, and said it would be accountable for its work.

Broad goals for the ICO to achieve as part of its information rights strategy include ensuring a "high proportion" of members of the public are aware of their information rights and how to exercise them and to help develop this understanding within the "formal education system".

The ICO also hopes to improve public confidence in the upholding of information rights. The strategy contains further aims to establish "a high level of awareness" within organisations of their obligations under information rights law and ensuring that those obligations are met. Organisational culture, processes and new systems should contain good practice in how information rights are complied with, the ICO said.

Information Commissioner Christopher Graham said that businesses should not cut back on data security as a result of financial pressures.

"Businesses under pressure in the downturn must be tempted to cut corners and push boundaries," Graham said in a blog post. "That’s a bad call, since the first casualty of a big data breach is going to be a brand’s reputation. Consumers will abandon companies that disrespect their privacy. (And that’s leaving aside the ICO’s power to levy a civil monetary penalty of up to £500,000 for serious breaches of the data protection principles.)"

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

3 Big data security analytics techniques

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.