He has also warned that any Government plans to create a single
database of phone and internet use data collection plans could be a
threat to privacy.
The Information Commissioner's Office (ICO) has published its
annual report in which it said that it had informally resolved 48%
of its closed cases, and that it had received 2,646 freedom of
information complaints in the last 12 months.
Last November HM Revenue and Customs (HMRC) lost two compact
discs containing the personal details of 25 million child benefit
claimants. The loss was the subject of five reports, including one
by Kieran Poynter of PriceWaterhouseCoopers, which contained 45
recommendations for HMRC.
"Having considered the report ... the Commissioner is satisfied
that the data controller has contravened the Third Data Protection
Principle in that the personal data processed on the missing
compact discs were excessive for the purpose for which they were
processed," says the decision notice issued by the ICO. "Moreover,
the Commissioner is also satisfied that the data controller has
contravened the Seventh Data Protection Principle in that he failed
to take appropriate measures to ensure the security of its
data."
HMRC was ordered by the notice to ensure that the
recommendations in the Poynter report were carried out within three
years, and that annual progress updates be provided to the ICO.
In January of this year a laptop belonging to the Ministry of
Defence (MoD) was stolen. It contained the unencrypted details of
up to one million people.
"In the circumstances the stolen laptop computer held an
excessive amount of personal data at the time it was stolen," said
the ICO's notice.
The MoD has also been ordered to comply with the recommendations
contained in a report into the issue and to comply within a year,
giving three monthly reports on progress.
Delivering the annual report, Commissioner Richard Thomas warned
that reported Government plans to create a new database of phone
and internet usage for all UK citizens could be a dangerous threat
to privacy.
"Speculation that the Home Office is considering collecting this
information from phone companies and internet service providers has
been reinforced by the government’s Draft Legislative Programme
which, referring to a proposed Communications Data Bill, talks
about ‘modifying procedures for acquiring communications data’," he
said.
"I am absolutely clear that the targeted, and duly authorised,
interception of the communications of suspects can be invaluable in
the fight against terrorism and other serious crime. But there
needs to be the fullest public debate about the justification for,
and implications of, a specially-created database – potentially
accessible to a wide range of law enforcement authorities – holding
details of everyone’s telephone and internet communications. Do we
really want the police, security services and other organs of the
state to have access to more and more aspects of our private
lives?" he said.
The Home Office has previously told OUT-LAW that it was not yet
releasing details of what it meant by the outline changes contained
in the Government's Draft Legislative Programme.
The ICO has also cancelled an enforcement notice served last
January on retailer Marks and Spencer (M&S). The company had
been issued with a notice ordering them to encrypt all the data on
their laptop computers after a computer was stolen.
The ICO said in January that M&S had broken the law when it
allowed the details of 26,000 employees to be stored on laptops in
unencrypted form. The ICO ordered it in January to encrypt all of
its laptops by April.
M&S wrote to the ICO last week to say that all the company's
laptops had been encrypted. IT director Darrell Stein said in the
letter that 4,532 had been encrypted. The computers are mostly in
the UK, but some are as far afield as Morocco, Bangladesh and Sri
Lanka.
Deputy Information Commissioner cancelled the enforcement notice
this week. Failure to comply with an enforcement notice can result
in criminal charges.
When the notice was issued it said that the ICO was prepared to
accept less formal undertakings from M&S that it would encrypt
the computers, but that M&S pushed for no announcement of those
undertakings to be made. That was "not acceptable to the
Commissioner," the notice said.
