The Conservative-Liberal Democrat government has outlined its intention to repeal what it sees as Labour’s over-zealous commitment to data protection, CCTV and ID cards.
Under the recently formulated coalition agreement, the ID card scheme will be scrapped along with the National Identity Register, the next generation of biometric passports and the Contact Point Database.
Additionally, the scope of the Freedom of Information Act is to be extended in order to provide greater transparency, and CCTV is to be regulated more judiciously to avoid misuse.
BusinessWings quizzed Robert O’Brien, director at compliance software manufacturer Baronscourt Technology, on how these changes will affect SMEs.
Which new penalties have been introduced for breaches to the Data Protection Act in the last few years?
Robert O’Brien: Under sections 55A and 55B of the Data Protection Act 1998, introduced by the Criminal Justice and Immigration Act 2008, the Information Commissioner may serve a monetary penalty notice on an organisation. The amount of the monetary penalty can be up to £500,000.
As a general rule an organisation with substantial financial resources is more likely to attract a higher monetary penalty than an organisation with limited resources.
As a general rule an organisation with substantial financial resources is more likely to attract a higher monetary penalty than an organisation with limited resources
Robert O'Brien, Baronscourt Technology
What are the most commonly occurring contraventions, and how can the Baronscourt software suite MetaCompliance help to counteract them?
RB: According to ICO guidelines, the Commissioner may impose a monetary penalty notice if an organisation has seriously contravened data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the organisation must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
The last line in this paragraph is key. 'Known or ought to have known' can be described as awareness of information assurance. It describes the culture and collective understanding of an organisation of this new business imperative.
Clearly, there are end point security products, such as encryption, that form an important part of an organisations data protection plan. However, it is only through the adoption of a policy and user awareness management system, like MetaCompliance, that a company can automate repetitive but crucial compliance communications. MetaCompliance ensures that all staff participate in the IT Assurance project.
Every data protection regime has key policies as its foundation. Awareness and implementation of the key security policies determines how successful any organisation will be in defending itself against a data breach or incident. MetaCompliance will guarantee the sign up of all employees and contractors to key security policies including, for example:
- Password usage
- Data control
- Network security
- Physical security
- Electronic mail ownership
- Security incident reporting
- End user accountability and acceptable use
