Personal Information Promise
By Simon Thorpe on Feb 02, 2009
|The UK's Information Commissioner has launched a new initiative to encourage businesses to raise their standards of information protection. The move was timed to coincide with European Data Protection Day on Jan 28th 2009. The new Personal Information Promise is a voluntary initiative whereby organizations undertake to go above and beyond the requirements of data protection law, and reflects the Commissioner's desire to see "people protection" hardwired into business culture.|
The promise is made up of 10 statements;
- Value the personal information entrusted to us and make sure we respect that trust.
- Go further than just the letter of the law when it comes to handling personal information, and adopt good practice standards.
- Consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems.
- Be open with individuals about how we use their information and who we give it to.
- Make it easy for individuals to access and correct their personal information.
- Keep personal information to the minimum necessary and delete it when we no longer need it.
- Have effective safeguards in place to make sure personal information is kept securely and does not fall into the wrong hands.
- Provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don’t look after personal information properly.
- Put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises
- Regularly check that we are living up to our promises and report on how we are doing.
|The initiative also reflects the growing concern, as illustrated by the constant flow of data breach stories, that the letter of the law is not enough in itself. Indeed, as recently as the previous week, the Commissioner had formally taken enforcement action against some National Health Service trusts and the Home Office following recent data losses.
The first 20 organizations to take the pledge include companies such as Vodafone, British Telecom, and AstraZeneca. "Organisations are waking up to the fact that privacy is now so significant that lapses risk reputations and bottom lines." said Richard Thomas, Information Commissioner.
Not wishing to sound cynical but, looking at the FAQ's;
Q: What is the aim of the Promise? A: The Promise is intended to help strengthen public trust and confidence in the way organisations handle their personal information... It also sends a clear signal to the workers in the organisation about the importance of looking after people’s personal information and that this is something taken very seriously at senior level.
Q: Does it create additional legal obligations? A: No, the Promise does not create additional legal obligations.
Q: How will the ICO use it? A: The ICO do not intend to use this as an additional regulatory tool – we will continue to use the Data Protection Act and associated legislation for our enforcement role
So it's not a legal requirement, nor anything the ICO will actually regulate to. So surely isn't this "promise" something we would expect EVERY company that handles our personal information to deliver? If so, we should see the list of signed up companies be rather extensive. Will getting a senior executive to sign a piece of paper they are not regulated against or legally obliged to follow, add any value to the existing data protection act? If anything this may be another way to raise awareness of why companies need to protect our data. We can but hope.