Information Commissioner needs more power

Give the Information Commissioner's Office (ICO) more power to hold companies and the public sector accountable for data security breaches, speakers at a Westminster eForum event said today.

Earlier this week, the Information Commissioner Richard Thomas called the number of companies and public organisations which have had serious security lapses "frankly horrifying." In London today, representatives from government, industry and academia called for better protection of individual's data - and more power for the ICO, the government body charged with protecting people's privacy in the digital age.

"We don't appear to be taking seriously as a society this information leakage," said Dr Simon Moores, the vice chairman of the Conservative Technology Forum.

An assistant commissioner from the ICO said the body believed it was time to take action. "When do start to do something about this instead of just having the debates?" asked Jonathan Bamford.

The speakers called for a bigger role for the ICO, with consultant Dr Ian Forbes saying the body needed "more elbows and a lot more power."

Currently, the information commissioner must ask permission from an organisation before looking into its data control and security arrangements. "The recalcitrant ones who don't want us there, there's something they don't want us to find," said Bamford.

Speakers representing industry also called for better guidance from the government. "There should be far more safeguards for industry to focus on," said David Theriault, business development manager at Ubisense.

Bamford laid out an ICO action plan to help deal with privacy and security issues surrounding private data. It included a new code of conduct for CCTV, an information sharing framework code and increasing the use of privacy impact assessments - all designed offer support and guidance to organisations.

He also highlighted the use of privacy enhancing technologies, calling for security and privacy controls to be built into databases and other technologies at the planning stage, rather than waiting until the end to bolt them on. Government IT contractors should be told to develop privacy and security controls at the specification stage, while the government should be willing to pay a premium for safer systems, Bamford said.

It's not just about securing the data or the IT, but about how people have access to information. "Things go wrong not just because of technology failures, but human failures," Bamford said. He and other speakers called for tougher sentencing and bigger financial penalties for those responsible for data breaches.

The government needs to create a culture of security, one speaker said. "Security is not a process, not a group of products, it's a state of mind," said Nigel Hopgood, the head of corporate governance at Sun Microsystems.

Philip Virgo, the secretary general of industry parliamentary group EURIM, said deciding responsibility for security breaches is easier in the private sector than the public sector. In the former, it comes down to who to sue, while in the latter, politics comes into play. But accepting responsibility for errors is key to gaining public trust - especially for highly-criticised projects such as the identity card scheme. "Trust is earned by those who accept responsibility even when things go wrong," said Virgo.

Email to a friend

Print this page

Social Bookmark this article: What is this?

Digg

Delicious

Reddit

StumbleUpon

Slashdot

Google

Facebook