Five important data protection reports were published in the UK in June and July 2008.
Taken together the reports signpost a change in attitude to data protection:
- moving away from passive, lacklustre compliance, where data protection is seen as the preserve of a small number of staff with designated roles.
- moving towards a far more dynamic approach to data protection where organisations whose business depends on the collection and use of personal data see the good stewardship of that data as a fundamental part of their operations.
The characteristics of this new approach are that:
information risk is actively addressed as a management issue
awareness of data protection and information risk is identified as a key competency of those staff whose role involves the handling of sensitive personal data
every significant aggregation of personal data in the organisation has a guardian actively responsible for ensuring the protection and proper maintenance and use of that data
data protection policies are written clearly, tailored to staff in particular roles, and actively communicated, monitored and enforced.
Three of the reports stemmed from the loss of personal data by HMRC (Her Majesty's Revenue and Customs) in 2007.
A report by the Independent Police Complaints Commission's (IPCC) describes the specific circumstances that led up to the HMRC data loss
A report by Kieran Poyntyer (chariman and senior partner of Price Waterhouse Cooper LLP) looks at the fundamental causes of the HMRC data loss, which he identifies as a failure of management to take information security seriously, and an organisational design ill-suited to information security.
A Cabinet Office report sets out a core set of measures that all central government departments must take to ensure that a similar personal data loss does not occur elsewhere in Government
The fourth report also relates to a data loss: Sir Edmund Burton's report into the loss of a Royal Navy recruiters laptop containing unencrypted personal data of 600,000 people.
The fifth report has a wider ranging topic and theme: it is a review of data sharing by Richard Thomas and Mark Walport, which examines ways in which the data protection regime can be improved to allow beneficial data sharing whilst still protecting personal privacy.
I took the reports on holiday with me, and in the next few blogposts I'll be drawing out the key messages from each one.
Comments