Tag Archives: Stewart Room

ICO lobbied to make data loss reporting a requirement

The Information Commissioner’s Office (ICO) is being put under pressure to ensure that every public and private organisation that suffers data loss or a security breach is obliged by legislation to notify it of such events.

It has also been suggested that the ICO’s power to fine those found to have contravened the rules of the Data Protection Act sums of up to half a million pounds is far from adequate and cannot be seen as a suitable deterrent.

This latest criticism of the ICO and the legislation with which it enforces data protection standards comes from Stewart Room, a leading legal force at Field Fisher Waterhouse. Mr Room spoke out at an event, highlighting what he sees as the ineffectiveness of the ICO, with businesses simply avoiding accountability by obscuring the details of a data loss.

Mr Room said that because there was no legal mandate for businesses to notify the ICO in the event of data loss and security breaches it was unlikely that firms would choose to do so when the result could be a 500,000 fine.

Organisations have a tendency to cover up their failings in the hope that the ICO will not become aware of the incident in the future and even when their misdemeanours are revealed, the ICO cannot act upon such failure to disclose because reporting is still not a requirement.

Mr Room added his voice to the growing number of experts who believe the ICO should be able to penalise firms under an uncapped system. This could result in far more substantial fines that should prove to be a more effective mechanism by which to bring even the largest organisations in line with best practice.

Internet Service Providers (ISPs) will become the first group of businesses that are required to report data loss and security breaches to the ICO next March, but according to some observers, this change will actually make little difference because the firms claim they already contact the ICO in the event that problems are detected.

A spokesperson for the ICO said that the organisation would be looking to the government for future extensions to its powers and in the meantime would be focusing its attentions on the further education of the public in order to instil data protection best practices in the wider population.

ICO publishes Code of Practice for data protection

The Information Commissioner’s Office (ICO) has launched a guide which is accessible online in order to define the rules that businesses and organisations should follow to ensure that data is properly protected.

Although the Personal Information Online Code of Practice is largely aimed at businesses, it also contains information that is useful for consumers who need advice as to the way in which their details will be used by various online services.

The ICO’s Christopher Graham said that consumer confidence could only be guaranteed if businesses were willing to adhere to data protection advice and also warned that fines would be incurred by firms that failed to properly secure the data for which they have responsibility.

Mr Graham spoke out against the unnecessary harvesting of user data, as well as its misuse in subsequent marketing and publicity which could diminish the trust in a relationship between a business and its customers.

The ICO believes that consumers have a part to play in protecting their personal data. They are encouraged to read the privacy policy for individual businesses and alter any settings to ensure that their details are secure. Limiting the amount of information which is made available online is also a suggested step.

Data security expert Stewart Room said that he was encouraged by the ICO’s new guidelines, particularly in relation to the way in which businesses were being made aware of the legal requirements that govern the handling of private data.

Mr Room said that although the guide is not all-encompassing, it is easy to comprehend and should provide businesses with the right information to help them comply with ICO regulations.

Mr Room believes that the ICO should be given greater powers to enforce proper data protection policy within businesses and organisations around the UK. In his opinion this should include statutory provisions rendering the reporting of data loss a mandatory requirement.

At the moment the ICO has the ability to fine firms up to half a million pounds for data loss, but some believe that unlimited fines would represent a far more significant deterrent.

Data security expert advises on new ICO powers

The speed with which the government proposed and then ratified new legislation, which has given the Information Commissioner’s Office (ICO) significant punitive powers in the event of data security failures, has become a talking point amongst industry experts.

The ICO’s new ability to impose fines of up to half a million pounds has been well publicised, with data expert and lawyer Stewart Room commenting during a speech at a data protection conference as to the likely impact of the changes and the most appropriate way in which businesses should respond.

Mr Room said that the significant speed at which new data protection legislation was being forced through showed that it was being formed and finalised within multiple public organisations simultaneously in order to maximise the impact of the process.

Mr Room pointed out that although half a million pounds was a significant sum when taken out of context, it paled in comparison to the amounts that were changing hands during the recent bank bail-outs. He went on to explain that the fine would not merely be significant because of its financial impact, but because of what it would symbolise for any business upon which it was imposed.

According to Mr Room, any business which receives a fine after the ICO gets its new powers on April 6th will be subject to scrutiny from its potential clients, resulting in lost business and general mistrust as a result. It will no longer be seen as competent enough to safeguard the data with which it is charged and the ramifications of such a label could prove to be enduring and incalculably damaging.

Mr Room pointed out that following a fine, a business would potentially be faced with having to cut jobs and could see its share price slide unless it takes the necessary steps to bring data protection and backup security to acceptable industry standards.

The imposition of an ICO fine of this kind will require that the breach can be definitively shown to be deliberately instigated. Mr Room believes that businesses will have to respond more carefully to calls from within and from external parties regarding data handling in order to avoid what may now be a far greater negative impact in the event of a security breach.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal