ICO Slams Companies’ Data Protection Awareness
Public sector bodies scored low on awareness of data protection principles, with the private sector coming out only a little better
Awareness of data protection principles amongst large organisations continues to be low, with private sector organisations lagging behind public bodies, while the protection of personal data is more important than ever for individuals, according to a survey published by the Information Commissioner’s Office (ICO) last week.
Just under half (48 percent) of private sector firms said, unprompted, that they should store personal information securely, compared with 60 percent of public sector organisations, the survey found.
The survey, carried out by SMSR, found that overall awareness of five of the eight data protection principles increased between 2009 and 2010, but awareness was still higher in the public sector than the private sector.
Only 14 percent of all organisations could identify all eight data protection principles unprompted, a decline of eight percent from 2007.
On the other hand, data protection remains a high social concern for the public, with 90 percent ranking the protection of personal information as an important issue. The only issue that scored higher was the prevention of crime, at 93 percent.
Nearly 90 percent of individuals surveyed were aware they had a right to see the information an organisation held about them, a 15 percent increase from 2004.
Eighty-four percent of individuals said they knew they could request information from authorities through the Freedom of Information Act, with 80 percent describing the Act as necessary. Ninety-three percent said the Data Protection Act was necessary.
Risk for organisations
The ICO said the low awareness of data protection principle sputs organisations at risk.
“Businesses need to show they are taking data protection seriously,” said Information Commissioner Christopher Graham (left), in a statement. “Failing to do so could not only lead to enforcement action, it could also do significant damage to their reputation. Ignoring data protection obligations is ignoring a key customer concern.”
In June the ICO said the NHS had been responsible for almost a third of all recorded data breaches in the United Kingdom for the last three years. The ICO found that the NHS was responsible for 305 of the 1,007 reported breaches. The private sector was a bit more responsible with data security, it seems, with 288 breaches recorded from individual companies. Meanwhile 132 breaches were recorded from local government bodies and 18 from central government.
In May an NHS worker in the secure mental health unit of a Scottish hospital was suspended, after he lost a USB stick containing patients’ medical records. According to local media reports, the USB stick contained unencrypted sensitive information – including the criminal histories of some violent patients at the Tryst Park unit at Bellsdyke psychiatric hospital. The stick was later found by a 12-year-old boy in the car park of an Asda supermarket in nearby Stenhousemuir.