Right to reply: New personal data code of practice- more education needed

The new code of practice follows a succession of high profile date losses by public sector and Government departments. The Information Commissioner, Christopher Graham, said action would be taken against those breaching the Data Protection Act.

Ken Yearwood, Director NEMEA Proofpoint, said: “If end-users are not properly educated on how to handle sensitive information, this guidance will be lost amongst the background noise of their increasing workload. As such, any security policy implemented will be doomed to fail.

“Security solutions that are difficult to implement, confusing to learn or that add time to an employees’ day will similarly fall short. Data leakage isn’t usually down to malicious intent. It’s more likely an employee didn’t understand the sensitive nature of the email content, or wasn’t aware the department had an email security policy.   
 
“Although security policies need to reach the masses, they should be timely, relevant and intelligent. A system needs to flag and educate end-users on exact cases of data breech, not refer them to a 150-page overview of the security policy as a de-facto response.
 
“I believe that even with a strategy of education, we will continue to see sensational headlines about data breaches, but they’ll become less frequent and more importantly, increasingly accurate. I’m not advocating that deliberate data breaches go unpunished, but with the emphasis moving towards education rather than punishment, those stories that make the headlines will be the exception, rather than the rule.”

Sean Sullivan, security adviser at software security experts F-Secure, said: “Policies and guidelines are important and necessary, but a consumer that can –see—how their information will be used isn’t necessarily one that will –understand— how/why it is used. There’s a lot of misinformation and a lack of understanding on the part of consumers. They don’t understand data acquisition and that leads to irrational fears. (Ex: The USA 2010 Census and those that refuse to fill out the form.)
 
The ICO’s policies and guidelines will help organizations define what’s mandatory or non-essential, and to label forms properly, but it doesn’t really help consumers understand. This is a business opportunity for those organizations that not only safeguard their customers’ information but also empower them with an understanding as to how it will be used. And that builds trust.
 
Dave Everitt, general manager of EMEA at Absolute Software, said: “The ICO’s new code of practice can only be a good thing, but it’s essential for organisations to understand what this means and how to remain compliant. When the ICO recently introduced data breach fines, almost half (45%) of IT directors polled by Absolute Software were not aware they had come into force and this can’t afford to happen again. Even more worrying is that of those who do know about the potential punishments, only 55% believe they will change their business practices as a result.

“After a run of high-profile data losses in the press, consumers have got to be able to feel they can trust businesses and public organisations with their personal details. How many more cases of lost laptops and vulnerable data will we see before organisations realise they have to do more to reassure the public?

The ICO is absolutely right in publishing this code of practice, but it also needs to educate businesses so they understand they can take action to stop data loss if it ends up in the wrong hands. It doesn’t have to be a case of just hoping it doesn’t happen, businesses need to be more aware of who and what is available to help them avoid data breach. Burying their collective head in the sand simply won’t help.”

An e-book, published by the ICO, outlines advice for businesses, departments, and charities who collect information that can identify an individual.

View a copy of the new code of practice here (PDF file)

********************************

Get Netimperative updates on Twitter