Tuesday, 3 February 2009

You bet they won't ...


I see the ICO (Information Commissioners Office) has asked businesses and public bodies to promise to do their legal duty to protect the privacy of those whose personal data they hold.

On 28 January the Information Commissioner’s Office celebrated European Data Protection Day by launching the Personal Information Promise. This appears to me to be another costly and pointless initiative, from which the participants will derive a warm feeling inside as they glow with unjustified pride in the belief they are doing something special to protect individual privacy - by publicly signing a promise to do what they are already legally obliged to.

The ICO are the same lazy incompetent arseholes who have failed to hold government departments and agencies to account for the numerous data loss cases over the last few years, and prevent further losses, despite having legal powers to punish those found wanting and mandate amendments to internal procedures and safeguards.

Their solution of course is to ignore their statutory powers and obligations and ask organisations to promise that they will:
1. value the personal information entrusted to us and make sure we respect that trust;
2. go further than just the letter of the law when it comes to handling personal information, and adopt good practice standards;
3. consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems;
4. be open with individuals about how we use their information and who we give it to;
5. make it easy for individuals to access and correct their personal information;
6. keep personal information to the minimum necessary and delete it when we no longer need it;
7. have effective safeguards in place to make sure personal information is kept securely and does not fall into the wrong hands;
8. provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don’t look after personal information properly;
9. put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises;
and
10. regularly check that we are living up to our promises and report on how we are doing.
Surely the introduction of this initiative is an admission that the ICO thinks organisations are not doing enough to protect our privacy through good data management? The promise seems to be 10 steps that it would be reasonable to assume that any responsible organisation would already have in place as part of their data protection obligations, and if the Commissioner suspects that they are failing to do so prosecutions should ensue - not a meaningless signature on a piece of paper which states the bleeding obvious. What the fuck have these organisations been doing up until now, oh no wait we know - leaving a trail of lost and unencrypted personal data across the country.

And the signatories to this promise? [From the ICO web site]
What speaks volumes is how many of the other 301,000 organisations on the public register of data controllers who haven't promised to look after the personal information they hold.

You may notice one other glaring omission - one that it would be reasonable to assume would be the first to sign up given their poor track record in the past. The same organisation that holds more personal data than any other, one obsessed with collecting, sharing and retaining as much information on the citizens of this fair isle as is possible.

Central government is not a signatory, but will they sign it?

You bet they won't; after all they couldn't push through their multiplicity of database-state initiatives and ID cards if they were obliged to respect privacy now, could they?

No comments:

Post a Comment