As reported a couple of days ago by Outlaw.com, HMRC have in recent years been criticised like many other bodies for their failures in complying with the Data Protection Act 1998 by the Information Commissioner’s Office (ICO). The data breaches and the publicity generated has obvious implications for public confidence in the ability of public bodies in particular to administer personal information in compliance with the legislation.
Businesses should be on guard as they are far from immune to negative publicity generated when a breach of data security is revealed. Financial institutions such as banks and building societies have had their own share of negative publicity due to non compliance with data protection law. It is only a matter of time before such adverse publicity stretches further out into industry as a whole. Data protection laws are no longer a marginal issue, if they ever were. Nor is ignorance an excuse for non compliance.
How do such a vast number of organisations, be it public or private, get data protection compliance so wrong? Whilst the legislation itself is by no means clear, and there are wide industry calls for reform of the current legislation, the ICO have published many editions of data compliance manuals for different industry sectors, and there is no shortage of businesses offering their own data protection compliance services. This is perhaps what makes it more surprising when larger businesses have flagrant breaches of data protection law exposed in the media.
What seems to be at the root of the problem is that businesses may well register with the ICO, develop or enhance their own data protection policies, but fail to put data protection compliance into practice on a day to day basis. What could be fuelling the problem is that policy is filtered through so many channels and departments before it actually reaches the individuals actually delegated to handle data, or perhaps a lack of genuine understanding of obligations from the core policy makers of a business. Whatever the internal causes, making sure all those handling data understand the business’ obligations is key to successful compliance and avoiding the likelihood of a hugely damaging public embarrassment.