Wednesday Jan 13, 2010

UK Data Losses to Incur Fines Up to £500,000

The BBC reports that the British Secretary of State for Justice has approved a new rule to empower the Information Commissioner's Office to impose fines up to £500,000 for data breaches.

Fines will be in proportion to the severity of the breach and the resources of the erring organization.

In a press release, Information Commissioner Christopher Graham, said: "Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."

Monday Dec 14, 2009

Privacy watchdog warns about unacceptable level of data loss, highlighting the NHS


The Information Commissioner's Office (ICO) is continuing to raise awareness of data loss and highlights that in 2010 companies need to do more to protect customer and patient information. In a recent report they quote;

"Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media."

The warning from the office comes with news that the worst offenders are in the health care industry. "We have investigated organisations, including several NHS bodies, that have failed to adequately secure their premises and hardware, which has left people's personal details at risk," said Mick Gorrill, the assistant commissioner with responsibility for investigations.

In the same month the ICO also released an excellent and much needed plain english guide to data protection.

Looking at the results of current research and also at the findings of risk assesments, Information Rights Management is a technology well designed to provide a fast solution to the loss of data in environments where security is hard to enforce. How do you control access to content that is lost by someone you've sent it to at another location outside your firewall? Oracle IRM provides the ability to secure and track that information no matter where it resides.

Loss of data in 2010 is to get more expensive as new laws allow the ICO to implement fines. David Smith, Deputy Information Commissioner, says: "Since November 2007 we have taken action against 54 organisations for the most reckless breaches in line with our commitment to proportionate regulation. Some of these breaches would trigger a significant fine for organisations were they to occur after the introduction of monetary penalties in 2010. We are keen to encourage organisations to achieve better data protection compliance and we expect that the prospect of a significant fine for reckless or
deliberate data breaches will focus minds at Board level."

If you want to learn more about Oracle IRM, have a look at some of the videos on our YouTube channel and please contact us if you want to undertake a free evaluation.

Monday Feb 02, 2009

Personal Information Promise

pip_billboard.jpg The UK's Information Commissioner has launched a new initiative to encourage businesses to raise their standards of information protection. The move was timed to coincide with European Data Protection Day on Jan 28th 2009. The new Personal Information Promise is a voluntary initiative whereby organizations undertake to go above and beyond the requirements of data protection law, and reflects the Commissioner's desire to see "people protection" hardwired into business culture.

The promise is made up of 10 statements;

  1. Value the personal information entrusted to us and make sure we respect that trust.
  2. Go further than just the letter of the law when it comes to handling personal information, and adopt good practice standards.
  3. Consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems.
  4. Be open with individuals about how we use their information and who we give it to.
  5. Make it easy for individuals to access and correct their personal information.
  6. Keep personal information to the minimum necessary and delete it when we no longer need it.
  7. Have effective safeguards in place to make sure personal information is kept securely and does not fall into the wrong hands.
  8. Provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don’t look after personal information properly.
  9. Put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises
  10. Regularly check that we are living up to our promises and report on how we are doing.
The initiative also reflects the growing concern, as illustrated by the constant flow of data breach stories, that the letter of the law is not enough in itself. Indeed, as recently as the previous week, the Commissioner had formally taken enforcement action against some National Health Service trusts and the Home Office following recent data losses.

The first 20 organizations to take the pledge include companies such as Vodafone, British Telecom, and AstraZeneca. "Organisations are waking up to the fact that privacy is now so significant that lapses risk reputations and bottom lines." said Richard Thomas, Information Commissioner.
Richard Thomas

Not wishing to sound cynical but, looking at the FAQ's;


Q: What is the aim of the Promise? A: The Promise is intended to help strengthen public trust and confidence in the way organisations handle their personal information... It also sends a clear signal to the workers in the organisation about the importance of looking after people’s personal information and that this is something taken very seriously at senior level.
Q: Does it create additional legal obligations? A: No, the Promise does not create additional legal obligations.
Q: How will the ICO use it? A: The ICO do not intend to use this as an additional regulatory tool – we will continue to use the Data Protection Act and associated legislation for our enforcement role

So it's not a legal requirement, nor anything the ICO will actually regulate to. So surely isn't this "promise" something we would expect EVERY company that handles our personal information to deliver? If so, we should see the list of signed up companies be rather extensive. Will getting a senior executive to sign a piece of paper they are not regulated against or legally obliged to follow, add any value to the existing data protection act? If anything this may be another way to raise awareness of why companies need to protect our data. We can but hope.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016