Information Commissioner's New Risk Reducing Approach

Data protection officers from across the country met last week (March 10) to address some of the key data protection challenges facing organisations in 2008 as the protection of personal information becomes an increasing priority for both organisations and individuals.

ICO's New Report - click here to downloadThe Data Protection Officer conference in Manchester, hosted by the Information Commissioner’s Office (ICO), also launched the ICO’s data protection strategy.

The data protection strategy sets out how the ICO goes about its task of minimising data protection risk. In doing so it explains how the ICO will focus its data protection resources on situations where there is the greatest risk of harm to individuals through improper use of their personal information.

Recent security breaches in both the private and public sector have highlighted the need for organisations to ensure personal information is processed securely. The conference examined how data protection officers can encourage organisations to adopt appropriate security measures when working with personal information.
 
David Smith, Deputy Commissioner, said: “High profile data losses in the last few months have demonstrated the importance of data protection. As increasing numbers of organisations are collecting more and more personal information, it is essential that effective data protection policies and practices are in place. Vigilance and strong leadership are needed at the highest level in all organisations to ensure data protection is taken seriously.”

The document intoduces itself by setting the scene for the future of data protection enforcment:

"Our data protection purpose is to make this vision a reality. At its heart is ensuring, in a responsible and measured way, that the rights and obligations set out in the Data Protection Act 1998, the Privacy and Electronic Communications Regulations 2003 and related legislation are respected. This means that we are primarily concerned with regulating the processing of personal data by the state, by businesses and by other organisations and not with processing by individuals in their purely personal capacity.

However we are not seeking compliance with the law as an end in itself. Making our vision a reality means minimising data protection risk for individuals and society. The law is the main tool we have at our disposal to achieve this, but we go further and promote good practice. Good practice may go beyond simply meeting the requirements of UK law but will always be consistent with the law as well as with the EU Data Protection Directive (95/46/EC) and ultimately with the right to respect for private life enshrined
in Article 8 of the European Convention on Human Rights.”

In detailing the new approach by the Information Commissioner's Office (ICO), the doument continues:

"Being a strategic regulator means that, in so far as we have a choice, we have to be selective with our interventions. We will therefore apply our limited resources in ways that deliver the maximum return in terms of a sustained reduction in data protection risk. That is the risk of harm through improper use of personal information.”

The ICO says that it will concentrate more on the avoidance of this risk than strict enforcement of the law:

"We are not seeking compliance with the law as an end in itself. Making our vision a reality means minimising data protection risk for individuals and society. The law is the main tool we have at our disposal to achieve this, but we go further and promote good practice. We cannot address all areas of data protection risk equally, nor should we attempt to do so."

The ICO identified a number of areas in which it will concentrate its attentions.
These include:

  • fighting the unlawful trade in personal information;
  • battling the increasing surveillance of UK residents;
  • monitoring increasing information sharing between organisations; and
  • undertaking data protection supervision.

"One consequence of our approach is the likelihood that we will need to devote proportionately more of our policy work to developments in the public sector than to developments in the private sector. This is a recognition of where the most serious data protection risks can arise."

The ICO said that it would try to prioritise, but that some judgments involved a degree of subjectivity:

"We will give priority to tackling situations where there is a real likelihood of serious harm to individuals or society. The necessary judgements especially about seriousness are not always easy. Loss of privacy can qualify as a harm in its own right, but there are difficult issues of objectivity and subjectivity. Some individuals value their privacy more than others. Our approach will be as objective as possible."

The ICO has consistently argued for more resources and greater powers.

Information Commissioner Richard Thomas has warned that the UK is becoming a surveillance society and has said that he needs more staff to tackle the problems of privacy and data protection. He submitted a proposal to Government in January of this year asking for a new offence to be created of recklessly or knowingly breaching data protection principles, which would be punishable by unlimited fines.He also asked for the power to put an immediate stop to data processing by any organisation that he thought was "seriously unlawful".

Source: Information Commissioner's Office / Workplace Law


 
 
Icon: back to news
 

Designed, Hosted and Maintained by Union Safety Services