Orange breaches UK data privacy laws

 

Gallery

By Simon Aughton

Posted on 22 Jun 2007 at 12:31

The Information Commissioner's Office has found that Orange breached UK laws governing the processing of customers' personal information.

The ruling follows the investigation of a complaint about Orange Personal Communications Services. The complaint indicated that new members of staff were allowed to share usernames and passwords when accessing the company IT system.

The ICO found that Orange was not keeping its customers' personal information secure and therefore was in breach of the Data Protection Act.

'Organisations that process individuals' personal information must do so in compliance with the Data Protection Act,' said Mick Gorrill, head of Regulatory Action at the ICO. 'If they do not, they not only risk further action from the Information Commissioner but also risk losing the trust of their customers. Individuals must feel confident that organisations are safeguarding their personal information.'

Orange is now required to sign a formal undertaking to comply with the Data Protection Act.

An Orange spokesperson said that the investigation relates to an issue in November last year, when a member of staff made Orange managers aware that some employees were sharing their log-in details in order to access systems.

'All of our frontline staff, whether permanent or temporary, are provided with a unique log in to access the company's customer account systems,' the spokesperson explained. 'Each member of staff is also required to sign a non-disclosure agreement regarding their password as part of the company's email and Internet policy.

'Therefore, as soon as we became aware that some members of staff were sharing log-in details, we issued a communication to all employees reminding them that this was against Orange policy and that if a member of staff was found to be using a colleague's details to log into the system, it could result in disciplinary action. Procedural compliance was also tightened.'

Orange's internal investigation found no evidence that customer data was inappropriately disclosed as a result of the sharing of log-in details.

'The security of customer information is of paramount importance to Orange,' the spokesperson said. 'We employ a number of techniques to ensure customers are safeguarded from attempts to fraudulently access account information. We also employ a number of processes to monitor our staff's access of customer accounts to ensure such access is warranted.'

Last month the Information Commissioner, Richard Thomas, told the House of Commons' Home Affairs Select Committee that his office needs stronger powers to carry out inspections and audits to ensure organisations are complying with the Data Protection Act. Currently, the Commissioner must gain consent from an organisation before carrying out an inspection.