May 2007
Keep your Passwords Safe and your Data even Safer
Orange and Littlewoods have both received a slap on the wrists this month from the Information Commissioner’s Office (ICO) over breaches of the Data Protection Act.
The incidents highlight the two main areas the ICO are charged with policing; security and marketing rules. Mobile operator Orange was accused of allowing new employees to share log in details for their IT systems. Identity fraud costs the British economy approximately £1.7bn a year and organisations or data controllers the size of Orange have access to thousands of people’s details including bank details, dates of births, addresses and phone books. The purpose of usernames and passwords is to enable companies and the ICO to monitor who has access to this information. Meanwhile the home shopping giant Littlewoods was accused of failing to process customer information properly. The investigation was triggered by a former customer who had continued receiving marketing material after she expressly requested the company to stop.
In both cases the ICO agreed not to use their enforcement powers under the act in return for undertakings. The undertaking provided by Orange states:
“The data controller shall, as from the date of this undertaking … ensure that personal data is processed in accordance with the Seventh Data Protection .. and in particular .. The sharing of user names and passwords by Customer Service Representatives, to access computer systems, shall not be allowed under any circumstances.”
A total of 17 organisations have provided similar undertakings this year including several companies in the financial services and communications sector.
These undertakings have proved to be an additional weapon in the ICO’s armoury as it seeks to enforce its powers. They serve as public admissions by these organisations allowing the ICO to “name and shame” companies who breach the legislation. They also enable the ICO to progress to enforcement in the event that these undertakings are breached followed by criminal prosecution if there are further failures.
Briffa’s Opinion
The increasing number of ICO investigations highlights the pressure that is being placed on data controllers to keep information secure and this will have implications for consumer facing organisations in particular. It is vital that from the outset organisations correctly administer the information they gather as part of their day to day activities with clear policies put in place for the sharing of usernames and passwords, and managing the status of “dead” and ”active” customers. In particular most of these investigations are prompted by members of the public complaining about direct marketing activities, it is therefore essential in a competitive marketplace that sales teams are notified of who has asked to be removed from mailing lists and e-shots.