Skip to navigation

Posted on July 9th, 2010 by Davey Winder    

ICO Code of Practise gets lukewarm reception from security experts

ICO Code of Practise gets lukewarm reception from security experts
So the Information Commissioner’s Office has finally published the new code of practice for the collection of personal data online. The ‘Personal Information Online Code of Practice’ http://www.ico.gov.uk/ebook/ebook.htm has been described by Christopher Graham, the Information Commissioner, as the first guidance document of its kind. He warned business that if they “mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO. Organisations must be transparent so that consumers can make online privacy choices and see how their information will be used.” during the launch of the code.
Not everyone is convinced of just what impact the code of practise will have though. Take
Sean Sullivan, security adviser at software security experts F-Secure, who reckons that while policies and guidelines are important and necessary, that doesn’t mean that consumers will understand how or why information is being used. “The ICO’s policies and guidelines will help organizations define what’s mandatory or non-essential, and to label forms properly” Sullivan says “but it doesn’t really help consumers understand.”
Ken Yearwood, Director NEMEA Proofpoint, would appear to agree. He warns that “if end-users are not properly educated on how to handle sensitive information, this guidance will be lost amongst the background noise of their increasing workload. As such, any security policy implemented will be doomed to fail. A system needs to flag and educate end-users on exact cases of data breech, not refer them to a 150-page overview of the security policy as a de-facto response.”
At least Dave Everitt, general manager of EMEA at Absolute Software, is a little more positive when he says that “the ICO’s new code of practice can only be a good thing” although he does
feel that the ICO needs to do more to educate businesses so they understand they can take action to stop data loss if it ends up in the wrong hands. “It doesn’t have to be a case of just hoping it doesn’t happen, businesses need to be more aware of who and what is available to help them avoid data breach” Everitt says, concluding “burying their collective head in the sand simply won’t help.”

So the Information Commissioner’s Office has finally published the new code of practice for the collection of personal data online. The ‘Personal Information Online Code of Practice‘ has been described by Christopher Graham, the Information Commissioner, as the first guidance document of its kind. He warned business that if they “mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO. Organisations must be transparent so that consumers can make online privacy choices and see how their information will be used.” during the launch of the code.

Not everyone is convinced of just what impact the code of practise will have though. Take Sean Sullivan, security adviser at software security experts F-Secure, who reckons that while policies and guidelines are important and necessary, that doesn’t mean that consumers will understand how or why information is being used. “The ICO’s policies and guidelines will help organizations define what’s mandatory or non-essential, and to label forms properly” Sullivan says “but it doesn’t really help consumers understand.”

Ken Yearwood, Director NEMEA Proofpoint, would appear to agree. He warns that “if end-users are not properly educated on how to handle sensitive information, this guidance will be lost amongst the background noise of their increasing workload. As such, any security policy implemented will be doomed to fail. A system needs to flag and educate end-users on exact cases of data breech, not refer them to a 150-page overview of the security policy as a de-facto response.”

At least Dave Everitt, general manager of EMEA at Absolute Software, is a little more positive when he says that “the ICO’s new code of practice can only be a good thing” although he does feel that the ICO needs to do more to educate businesses so they understand they can take action to stop data loss if it ends up in the wrong hands. “It doesn’t have to be a case of just hoping it doesn’t happen, businesses need to be more aware of who and what is available to help them avoid data breach” Everitt concludes.

Unfortunately, it does look a little like many businesses are doing an ostrich and burying their collective heads in the sand right now though. And you know what, ostriches do not great data protection make…

Tags: ,

Posted in: Security

Permalink

Follow any responses to this entry through the RSS 2.0 feed.

Social Bookmark this article: What is this?

Add to: DiggDigg
Add to: Del.icio.usDelicious
Add to: RedditReddit
Add to: StumbleUponStumbleUpon
Add to: SlashdotSlashdot
Add to: GoogleGoogle
Add to: FacebbokFacebook

Leave a Reply   

You must be logged in to post a comment.

Recent Posts    

advertisement