Monday I talked about France’s 2006/2007 CNIL privacy report. The United Kingdom (UK) also recently released their 2006/2007 data protection report.
Remember, any organization that has offices located within the UK or has customers in the UK must follow their data protection (privacy) laws. This is generally true for any country (complying with their respective laws), not just the UK.
Some important points within the U.K. ICO annual report for organizations to note:
* Public awareness of privacy is at an all time high, but yet a significant number of UK business and public sector organizations do not have privacy practices in place or adequate safeguards for personally identifiable information (PII).
So don’t assume that if you don’t follow data protection law requirement that no one will know if you are not audited by the regulatory oversight agency. If consumers notice the trend is that they will make a noncompliance complaint.
* The Information Commissioner’s Office (ICO) plans to increase penalties for data protection noncompliance and incidents to include prison sentences.
NOTE: In February, the U.K. Department of Constitutional Affairs announced plans to submit amendments for the Data Protection Act to allow up to two years in prison for anyone convicted of selling or deliberately misusing PII.
The types of complaints that the ICO received are interesting:
“Nature of complaints
The business areas generating the most complaints are as follows:
Internet 13.32%
Lenders 12.12%
Direct marketing 10.32%
Telecoms 7.15%
The most frequent reasons for complaining are as follows:
Subject access 28.94%
Inaccurate data 17.55%
Unwanted telesales calls 15.51%
Disclosure of personal data 10.05%
Unwanted sales faxes 6.33%
Unwanted sales email 5.94%”
Notice that the largest complaint was for not providing individuals with access to view the PII the organization had, and also not allowing them the ability to correct erroneous PII.
Most organizations I have spoken with do not have procedures or technical capabilities in place to allow individuals access to their PII, and even fewer have the procedures and technology in place to determine if PII correction requests are valid, and then to update the PII.
It is also rare to have customer service and call center personnel trained and aware of how to communicate to individuals about what their organizations’ privacy practices are, or to know how to verify the identity of callers and then allow PII access to verified individuals.
The following are some of the penalties and enforcement actions listed within the ICO’s activities for the year:
“May 2006: our view that the Scottish National Party’s marketing telephone calls are in breach of electronic privacy regulations is upheld by the Information Tribunal.
May 2006: we issued our first enforcement notices under the Freedom of Information Act, requiring the government to release information on the legality of the Iraq war.
July 2006: we found the B4U website in breach of the Data Protection Act and issued an enforcement notice against its use of electoral register information.
July 2006: we prosecuted a bogus caller for breaching the Data Protection Act; he is found guilty and fined £600 plus costs.
July 2006: we prosecuted a finance company for failing to notify under the Data Protection Act. The directors were found guilty and fined £300 each plus costs.
July 2006: we ordered the Health Protection Agency to release information about a case of
Legionnaire’s disease in a Malta hotel.
September 2006: we ordered the disclosure of MPs’ travel expenses.
September 2006: we ruled that Ofcom must release data on mobile phone base stations.
October 2006: we investigated allegations that customers’ data is not properly protected in some overseas call centres.
October 2006: the courts ordered two men to pay back money they gained by posing as a bogus data protection agency.
November 2006: we prosecuted a husband and wife team for the illegal obtaining of personal information. They were found guilty of 25 cases and fined over £7000 plus costs.
December 2006: we served enforcement notices against five companies for making illegal telesales calls.
December 2006: a man who illegally obtained and sold personal information was sentenced to 150 hours community service.
December 2006: we ordered Derry Council to release information about an agreement with Ryanair under the Freedom of Information Act.
January 2007: we successfully prosecuted Liverpool City Council for failing to respond to an Information Notice under the Data Protection Act.
January 2007: we ordered Braintree District Council to release information on the properties it owns, and Liverpool City Council to release information relating to managed zones for prostitutes.
January 2007: four men sentenced to jail for their involvement in bogus data protection agencies.
February 2007: we ruled that West Midlands Passenger Transport Executive was right to treat multiple information requests as vexatious.
February 2007: we ordered the London Borough of Camden to release information on ASBOs.
March 2007: we found 11 banks in breach of the Data Protection Act.”
Notice the ICO’s activities covered a very wide range of privacy issues, and that their penalties and fines were also wide-ranging, including community service, monetary fines and prison time.
It is also important to note that over 23,000 cases were reported during the 12 month period the report covered. The remedial action the ICO required of the organizations found to be in breach of the Data Protection Act included, in addition to fines, that the organization correct an individual’s record, implement a data protection policy, and/or improve or implement information security and privacy training and awareness communications.
Once more another regulatory oversight agency recognizes the importance of awareness and training and requires organizations to implement information security and privacy education programs to help raise awareness and understanding of data protection requirements along with mitigating the risks to PII.
Tags: awareness and training, cross border data flow, customer privacy, data protection, employee privacy, government, Information Security, IT compliance, policies and procedures, Richard Thomas, U.K. ICO, United Kingdom