Article

Data theft

Channel 4’s “Dispatches” programme on data theft on 5 October 2006 made for sombre viewing. The programme reported how call centres are apparently being targeted by criminals intent on unlawfully obtaining UK citizens’ financial records - with obvious implications. What was particularly galling was the ease with which unscrupulous individuals were able to gather personal data in order to sell it on. In fact, members from the “Dispatches” team were offered some individuals’ banking details for as little as £8 by criminal networks in India.

The programme followed hot on the heels of numerous articles and reports about similar security failures - from Nigerian fraudsters selling bank account details stored on recycled PC’s, to banks and buildings societies not properly disposing of payment slips and other paper files. It also backed up the Information Commissioner’s own recent report on “What Price Privacy” concerning data theft in the UK and prompted the Information Commissioner’s Office (ICO) to implement an immediate investigation
into the illegal trade of buying and selling data. From its report it is clear that one thing the ICO will particularly focus on is business practice concerning the safeguarding of personal data. This is expected to target both internal and external administrative procedures. Having adequate technological and organisational security measures in place is one of the eight data protection principles under the Data Protection Act (“DPA”). This applies to both electronic and manual records. Therefore, organisations which do not have these procedures in place are in breach of the DPA. Call centres acting on behalf of UK companies are data processors; it is the UK company determining the uses to which the data is put (the data controller) which retains overall responsibility for ensuring the security of the outsourced personal data. As a data controller, a key factor in outsourcing must be ensuring that the data processor has satisfactory policies and procedures in place to safeguard the data and that employees involved in processing the data have been sufficiently trained and are sufficiently trustworthy. However, the “Dispatches” programme revealed how employees - even in respectable businesses - were willing to flout their companies’ policies on data protection.

Furthermore, under the eighth data protection principle, organisations wanting to transfer personal data outside the EEA have to comply with the provisions of the DPA, which require that various conditions are met before the data is transferred. In most cases this will mean that an individual’s consent has to be obtained to the transfer of his data outside the EEA. This is because countries outside the EEA are not deemed to have sufficient levels of protection. As a result of recent news coverage, and the ICO’s own report, the Information Commissioner has declared that it is a priority for his Office to prevent such
practices. In fact, this sense of urgency is wide spread: not only is the ICO carrying out an investigation into the practices of mobile phone companies (whose call centres were allegedly the source of the
information), but the Department for Constitutional Affairs is running a consultation on the introduction of more severe penalties for traffickers of personal data, including custodial ones, for anyone who fails to take adequate measures to safeguard personal data under their control. This consultation was set to run until 30th October and indicates that the tide is beginning to turn against organisations which fail to take data protection seriously. Compliance is therefore very important. Organisations are well advised to review the procedures they have in place for processing personal data (this includes storing and disposing of it) and to carry out regular reviews of these procedures to ensure that they are adequate and, just as importantly, that they are adhered to by personnel and contractors. Otherwise, the consequences could be severe.

For further enquiries please contact Genevieve Mead on 01892 701308 or email genevieve.mead@
ts-p.co.uk.

You will require the Adobe Acrobat Reader to read PDF files, this is free to download if you do not already have it. Get Adobe Reader