Data protection privacy issues

A timely reminder

Most businesses are too complacent about data protection and privacy obligations. Many businesses assume that once they have completed the notification form on the Information Commissioner's Office ("ICO") website and paid the nominal fee, and perhaps include some basic statements about privacy on their website that this is all they need to think about to ensure compliance with this particular legislation. We heard in this week's news that the practice of selling customer lists and customer information is still widespread (T-Mobile are being prosecuted for the sale of customer information to its competitors) and the concern has been that sanctions for breach are too light to really act as a deterrent.

More than 50% of clients that I advise assume that the Data Protection Act goes no further than understanding the issues and confirming on your website that you are aware of this. An internal corporate policy, training of staff, applying security measures and understanding the restrictions under the Act are largely ignored. This is not only limited to small/medium sized enterprises but I have advised a number of multi-national organisations who freely transfer personal information intra group and often to overseas subsidiaries especially in the USA and India without considering that this is specifically prohibited under the 8th principle of the Data Protection Act.

Are custodial sentences the next step?

We hear more and more in the media and from public interest organisations that these breaches must be taken more seriously and in this week's breach by T-Mobile the Information Commissioner, Christopher Graham, is starting to talk about imposing custodial sentences for breaches of the Act. A process is already in place and likely to be implemented in early 2010 to increase fines levied against organisations that breach data protection obligations. There have been suggestions that in similar ways to competition law antitrust issues, that fines may be calculated upon a percentage of a company's turnover, so that personal information issues will start to be taken more seriously.

Data protection and privacy issues need to be taken and treated more seriously and companies must find the time and resources to put in place suitable policies, training and awareness as well as having the systems in place to ensure that personal information if and when held is properly managed. There needs to be more than a simple two-line boilerplate clause in contractual documents where IT subcontractors or third party outsourcing service providers have access to this information and clear steps supported by management and audit rights needs to be put in place so that compliance is no longer taken for granted.

We can assist you

At Thomas Eggar we have a team of lawyers who specialise in the auditing of data protection issues for companies together with a planned programme of documents, training and processes so that a company is fully compliant with the necessary legislation and does more than insert a couple of sentences at the bottom of its website or in its contracts thinking that this is all that is required.