How Are You Handling Personal Information?

Banks, retailers, recruiters and other organizations must adopt adequate measures to protect employee and client data immediately or else risk prosecution. In fact, the United Kingdom’s Information Commissioner recently announced it had found 12 firms, including Barclays and NatWest, in breach of the Data Protection Act and had ordered them to sign formal undertakings. Leading telecom company Orange has also been found in breach of this regulation, according to Commissioner Richard Thomas.

“How can laptops holding details of customer accounts be used away from the office without strong encryption?” Commissioner Thomas asked during the recent launch of his agency’s latest annual report. “How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?”   

The Information Commissioner’s Office (ICO) enforces the UK’s Data Protection Act 1998, the Freedom of Information Act 2000, the Privacy and Electronic Communications Regulations 2003, and the Environmental Information Regulations 2004. The Data Protection Act requires organizations to manage personal information responsibly, while the Privacy and Electronic Communications Regulations support the aforementioned Act by regulating the use of electronic communications for unsolicited marketing to individuals and organizations. The Freedom of Information Act, meanwhile, gives people the right to access information held by public authorities; and the Environmental Information Regulations provide access to environmental information held by public and private bodies.

“The collection of biometrics and other personal information as a weapon in the fight against terrorism and serious crime, the increased sharing of our personal information to improve public services, and ever more inventive forms of electronic marketing, are all examples of ways in which this private space is under challenge,” the ICO reports states. “Legitimate aims are, for the most part, being pursued but protecting the privacy of our personal information in a measured and responsible way has never been of more importance. The existence of a law is not, on its own, enough to achieve this. The law must be applied in practice.” 

ICO emphasizes the need to follow the principles established in the Data Protection Act. Personal information must be: fairly and lawfully processed for limited purposes; adequate, relevant and not excessive; accurate and up to date; kept no longer than necessary; processed in line with individual rights; secured; and transferred to other countries with adequate protection. Actually, ICO has been involved in the investigation of the Society for Worldwide Interbank Telecommunication (SWIFT) issue.

According to the ICO report, in June 2006, the agency along with several data protection authorities in the EU and worldwide received a complaint about “alleged covert disclosure” of information on EU nationals, specifically UK citizens, to the United States by the international financial messaging service. After determining at the EU level that the information had been transferred “in a manner contrary to fundamental data protection principles,” ICO has asked UK financial institutions to consider measures needed to comply with data protection standards. ICO also advises companies on privacy enhancing technologies; radio frequency identification tags; and marketers in particular about the Privacy and Electronic Communications (EC Directive) Regulations 2003, among other technical and legal advice.

A spokesman for the UK’s John Lewis told the BBC the department stores don’t collect data in ways in which specific customers are readily identified.  “It’s more about trends and protecting their interests – if there was a fraudulent transaction, picking it up because we have an insight into their sort of habits,” the spokesman explained. The BBC also provided government advice on how individuals may protect themselves from identity theft, reportedly costing the UK government £1.7 billion a year and each victim 300 hours to solve. Among the tips are the following:  

• Rip or shred all documents containing personal information.
• Keep personal documents in a safe, in the bank or at your lawyer’s office.
• Do not provide financial information via email or telephone.  
• Equip your computer with anti-virus, anti-spyware and anti-spam programs.
• Don’t write down or save passwords; and stay away from obvious passwords. 
• Check financial statements and credit records regularly to detect irregularities.
• Redirect mail to new addresses.

Victims should contact the police and their banks right away and keep track of all documents and hours spent solving this crime. Meanwhile, when signing an undertaking, a person generally doesn’t have to admit the acts accused of. However, if the promise not to engage in these acts in the future is broken, the signatory will be in contempt of court and may be imprisoned.