Brian Pennington

A blog about Cyber Security & Compliance


Data Protection Act

Information Commissioner: Businesses ‘waking up’ to Data Protection responsibilities

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

The Information Commissioner has reported that businesses may be ‘waking up’ to their obligations under the Data Protection Act (DPA) but public confidence in how personal information is being handled continues to decline, the Information Commissioner’s Office (ICO) said today.

Figures published show that nearly three quarters of businesses surveyed now know that the DPA requires them to keep personal information secure. This is up 26% on last year’s figure.

Public confidence has fallen with less than half of those surveyed believing organisations process their data in a fair and proper manner. Concern is particularly high in relation to web-based businesses with almost three quarters of individuals believe that online companies are not keeping their details secure.

Information Commissioner, Christopher Graham said:

“I’m encouraged that the private sector is waking up to its data protection responsibilities, with unprompted awareness of the Act’s principles higher than ever. However, the sector does not seem to be putting its knowledge to good use. The fact is that security breaches in the private sector are on the rise, and public confidence in good information handling is declining. Businesses seem to know what they need to do – now they just need to get on with doing it. It’s not just the threat of a £500,000 fine that should provide the incentive. Companies need to consider the damage that can be done to a brand’s reputation when data is not handled properly. Customers will turn away from brands that let them down.”   

The ICO’s annual track survey looks at information rights issues across the board. Other figures released today show that awareness of citizens’ rights under the Freedom of Information Act is increasing.

    • 90% of public authorities surveyed are aware that individuals have a right to see information.
    • 84% – also agreed that the Act is needed.
    • 24% of respondents were sceptical that the information they’d like to see is actually being made public.
    • Just half of those surveyed are satisfied that information is readily available and accessible.
    • 70% recognise the ICO’s role as the enforcer of the Data Protection Act, the highest awareness level since the question was introduced to the annual survey in 2004.
    • 53% of businesses surveyed now have a clear understanding of the ICO’s role in this area compared with 20% last year, This increase is partly driven by the private sector.
    • 58% more breaches have been reported to the ICO so far in 2011/12 than in the same period last year.
The Information Commissioner, Christopher Graham added:

“This survey highlights the increasing importance of accountability and transparency, and the public’s right to know. Almost all public authorities can see the clear benefits of having freedom of information laws. But more needs to be done to make sure that the right information is being made available since only half of citizens surveyed feel they have easy access to the information they want.”


Housing Group breaches the Data Protection Act by Emailing a spreadsheet

Spectrum Housing Group based in Dorset breached the Data Protection Act by sending the personal data of 200 employees to the wrong email address, the Information Commissioner’s Office (ICO) said today.

In March 2011, an employee of Spectrum Housing Group accidentally emailed a non-secure excel spreadsheet containing employees’ data, including details of their pension contributions, to the wrong external email address. The error was discovered 30 minutes after the email had been sent, at which point the unintended recipient was informed and the data destroyed.

The ICO’s investigation found that at the time of the incident Spectrum Housing did not have a sufficient policy in place to help prevent such incidents and has ordered the company to take action.

Acting Head of Enforcement, Sally Anne Poole said:

“While on this occasion the information compromised was not sensitive, the fact is that at the time of the incident Spectrum Housing Group did not have appropriate controls in place. This case highlights the need for organisations to make sure that adequate checks are in place and documents suitably protected before they are sent out.”

Wayne Morris, Group Chief Executive, of Spectrum Housing Group, has now signed a formal undertaking to ensure that spreadsheets or other documents containing personal data are only sent by email where necessary and only contain the minimum amount of data required. The organisation will also consider, where appropriate, password protecting or encrypting documents containing personal information.


Information Commissioner’s Office issues third and fourth fines to Ealing and Hounslow Councils over loss of unencrypted laptops

Yesterday saw the second wave of fines from the Information Commissioner’s Office (ICO) over breaches to the Data Protection Act.

After the landmark first cases in November where monetary penalties were issued to Hertfordshire County Council for ‘two serious incidents’ regarding accidentally sent faxes, and to employment services company A4e for the loss of an unencrypted laptop, two more councils have also been fined for the loss of unencrypted laptops.

When talking to customers I often find they deal with legislation and compliance in silos e.g. PCI DSS. The reality is there are common security elements across almost all pieces of legislation and compliance.

A simple way of dealing with the above issue is to ask “how important is the data”. E.g. because of PCI DSS, card holder is important and with the Data Protection Act so is customer data, so why not apply the same levels of protection and controls to both?

Create a free website or blog at

Up ↑

%d bloggers like this: