Production management

production management

on, or to pass it on to a third party. This may not be possible - so always confirm what is permissible before authorising such activity. ■ Limiting the amount of personal information used to fulfil a particular activity, to the data actually necessary to complete that task. ■ Taking care to update records which become out of date or obsolete. ■ Allowing individuals the right to access a copy of the personal information held by the organisation on demand. ■ Allowing individuals the right to opt out from any direct marketing activity. ■ Not transferring any personal information outside the European Economic Area without securing additional protections.

Enforcement under the DPA The ICO regulates compliance with the DPA. He is required to investigate and rule on complaints received from members of the public on alleged breaches of the legislation. He wields significant power to carry out formal inquiries and enforcement action. Organisations who find themselves under investigation from the ICO are likely to be exposed to adverse publicity once those investigations are complete - the ICO has a deliberate policy of raising awareness of data protection through publicising poor working practices. If systemic failures are identified, there is the additional the risk of a fine of up to £5000 in a Magistrates Court or unlimited in a Crown Court. Further, if individual members of staff are found to be involved in making unauthorised disclosures of personal information they personally face the prospect (following recent changes to the Criminal Justice and Immigration Bill) of a custodial sentence.

Steps to take to ensure compliance Establishing a clear regime of information governance will ensure compliance with the rules and limit the risk of things going wrong. As a basic checkpoint, make sure these simple processes are in place:

1. Have a clear understanding about the personal information collected and used within the organisation. 2. Ensure the way in which personal information is used remains consistent with the expectation of the individuals concerned - be

satisfied that staff, customers, etc would not be surprised to learn about the way in which their private details are used? 3. Have a data retention policy which ensures records are regularly updated and (when obsolete) deleted. 4. Have a security policy which sets out a clear process for maintaining the integrity of data, prevents unauthorised access to information and has an effective procedures for managing breaches. 5. Ensure IT infrastructure supports effective security controls and data management. 6. Carry out regular data protection compliance audits. 7. Nominate a senior officer with overall responsibility for management of data protection and security compliance. This individual should have a direct reporting line to board level.

What to do if things go wrong If an information security breach occurs, the temptation may be to keep quiet and hope the problem passes by unnoticed. This is usually a recipe for more trouble. The ICO is quite clear that if things go wrong there is an overriding duty to protect the individuals concerned as quickly and effectively as possible. At a minimum, this is likely to mean issuing a clear communication to those affected explaining what has happened; explaining any risks that they may be exposed to as a result of the problem - for example, any enhanced risk of identity theft and steps they can take to minimise that risk; notifying the ICO, so that they can provide appropriate additional advice and guidance; carrying out immediate remedial

38 MWP march 2008

action to prevent a recurrence of the problem; and conducting an investigation to understand any systemic organisational failures which should be rectified.

For the Future The ICO has just been given the power to audit and inspect those Government organisations that hold and process personal information without first having to gain permission. Similar powers are being sought for businesses. Further, s55 of the DPA relates to the illegal buying and selling of personal information. Presently it carries a criminal penalty of up to £5000 in a Magistrates Court or an unlimited fine in a Crown Court. But going through Parliament as part of Criminal Justice and Immigration Bill is a proposal to add a two year prison sentence. Also, the ICO wants reckless breaches of the Act to become a criminal offence. Only s55 breaches and breaches of an enforcement notices are criminal offences under the present law.

Conclusions People expect their personal information to be properly protected at all times, whether held by the public or private sector. Organisations who fail to do put in place appropriate measures to secure information risk alienating their customers, upsetting regulators and undermining their commercial viability. These risks are real and substantive. If not already in place, commit now the appropriate resource and attention needed to ensure secure effective information governance.

Andrew Dyson is a Partner in DLA Piper. He specialises in information law and data protection issues.

To view a Ceros magazine you need to have JavaScript enabled in your browser and have the flash player 8 or higher installed. To install the latest flash player, click the icon above, install the flash plugin and then click here to refresh this page.
If you believe you have the correct requirements please click here to skip our detection.