Anthony Pearlgood, the man in charge of information destruction at the BSIA, said compliance with the Data Protection Act is crucial for every business.
“By contravening the requirements of the Act and not sufficiently protecting confidential information, businesses run the risk of prosecution by the Office of the Information Commissioner.”
Yesterday it emerged that a breach of data protection guidelines had led to the loss of the personal data of 25 million people and the eventual resignation of HM Revenue and Customs (HMRC) chairman Paul Gray.
And it was not the department’s first error this year. In October, a laptop with details of data on up to 2,000 people with investment ISAs was stolen and 41 laptops have been pilfered from HMRC in the last 12 months.
Under the terms of the Data Protection Act, organisations are expected to strike a balance between the privacy of individuals and the need to store personal data for legitimate reasons.
Need-to-know basis
This means organisations should not hold unnecessary information about people and, as highlighted this week, should make sure it is held securely and distributed on a strict need-to-know basis.
Staff should also be trained in and fully-aware of their data protection responsibilities. However HMRC has blamed the latest error, which has put up to 7.5 million families at risk of fraud, on a junior member of staff.
Today Chancellor Alistair Darling tried to offer reassurance in a statement to parliament.
“The UK Payments Association has confirmed the missing data is not enough in itself for someone to access a person’s bank account for fraudulent purposes,” he said.
“But,” he added, “we have to recognise the increased risk caused by this missing data”.
Improving data protection
The BSIA has produced an online audit that aims to help businesses assess whether their confidential waste is being disposed of securely.
“By making sure that you have stringent confidential waste disposal procedures in place, you will protect not only your business, but also your customers and suppliers from the risk of identity fraud,” said Pearlgood.
To help companies determine how well they comply with data protection principles, the Information Commissioner’s Office (ICO) has issued a complete audit guide on its website. The 166-page guide (available here) gives advice and information on the audit process and undertaking risk assessments.
Failure to comply
The ICO has legal powers to make sure organisations comply with the requirements of the Data Protection Act, and has criticised HMRC over the recent data scandal.
Acting at arm’s length from the Government, the organisation regularly uses its powers to change the way public bodies and private companies handle and dispose of the data they store.
Richard Thomas, the Information Commissioner, said the security breach at HMRC illustrates that data systems are only as good as their weakest links.
“The alarm bells must now ring in every organisation about the risks of not protecting people’s personal information properly.
“It is imperative that organisations earn public trust and confidence by addressing security and other data protection safeguards with the utmost vigour.”
Earlier this month, the ICO forced the Foreign and Commonwealth Office to sign a formal undertaking to make sure it complies with the Data Protection Act.