Privacy matters now more than ever. Research by my office – the Information Commissioner's Office – published earlier this month highlighted that nine out of 10 people are concerned that organisations do not treat their personal information properly. People also rank protecting personal information as the second most important social issue – perhaps surprisingly ahead of the environment and the NHS.
Incidents such as the security breach at HM Revenue and Customs reinforce the importance and necessity of data protection – or people protection as I prefer to call it. The Data Protection Act sets out the framework for how organisations should process and manage personal information – follow the principles of the Data Protection Act and you will retain the trust and confidence of the public. Allow personal information to leave secure buildings and get lost in the post and the public will rightly want an explanation.
For some time I have been pressing the Government to give my office stronger powers under the Act to audit and inspect organisations that process people's personal information without first having to get their consent. Ultimately this will ensure better compliance with the law and protect people's data. The Prime Minister announced yesterday that my staff will be able to spot-check government departments. We will work with the Ministry of Justice to confirm the detail on this – what we need are full audit and inspection powers, and not just for government departments, but for every organisation, public and private, that processes people's personal information. It is essential that we are properly resourced to carry out this new function.
It is also important that the law is changed to make significant security breaches – where they are reckless or repeated – a criminal offence. At the moment I can take limited enforcement action, but making deliberate and systematic data breaches a criminal offence would serve as a strong deterrent and would send a very strong signal that it is completely unacceptable to be cavalier with people's personal information. Committing a criminal offence is a strong deterrent and means that more organisations will comply with the law. The Data Protection Act needs to be changed urgently so that people's personal details are properly protected.
High standards of security and records management are essential if companies and public authorities are to retain the trust and confidence of those who use their services. While the majority of organisations process personal information appropriately it is imperative that all organisations, large and small, take the protection of individuals' information more seriously.
Our research shows that individuals are now more aware of their rights under the Data Protection Act than ever before. Individuals value their personal information so careless and inexcusable breaches of their personal details are clearly unacceptable. Earlier this year, I highlighted a horrifying roll call of organisations which have admitted serious security lapses and I called for every organisation to take privacy far more seriously. Alarm bells must now ring in every boardroom. Data protection safeguards must be technically robust and idiot proof. Protecting the public's personal information will no doubt become a more significant priority.
Richard Thomas is the Information Commissioner; ico.gov.uk