On September 14, 2011, UK Information Commissioner Christopher Graham said that the private sector “isn’t as good as it thinks it is” when it comes to data protection compliance, and that many of the compliance problems that arise originate in the private sector. While giving evidence to the House of Commons Justice Select Committee, the Commissioner criticized the private sector and, in particular, banks and other financial services companies.
As we have previously reported, and as the Justice Committee stated, only one in five companies contacted by the Information Commissioner’s Office (the “ICO”) agreed to participate in free data protection audits. This is in direct contrast to the 71% of public sector bodies who have agreed to be audited.
The Commissioner, while acknowledging problems with local authorities, stated that there also were problems in the private sector and cited a recent case he said would “cause banks to pause for thought.” The case the Commissioner referenced was heard in Brighton Magistrates Court on September 12, 2011, and concerned the conviction of a bank cashier who used her position to illegally access the personal details about a sex attack victim. The bank cashier, who was trying to learn more information about the woman who had accused her husband of sexual assault, was fined £800 and ordered to pay costs of £400 plus a victims’ surcharge of £15. The Commissioner commented that it “beggars belief” that custodial sentences are not available for such breaches.
Commenting on the private sector’s reluctance to submit to audits, the Commissioner stated that he very much regrets that companies are “so backward in coming forward.” He urged financial services companies in particular to submit to data protection audits, the results of which may then be used a badge of pride to bolster customer confidence in the company.
The Commissioner also used his appearance in front of the Justice Select Committee to highlight his lack of a “general power to conduct anything but a consensual audit” in all but a limited number of areas, and called for the ICO to be given the general power of inspection to check for data protection compliance.
View the ICO news release on the September 12, 2011 case heard in Brighton Magistrates Court.