Law won't help Darling's data victims

• 
• 

 1 of 2

Gallery

Posted on 21 Nov 2007 at 07:46

The law is impotent when your data is carelessly lost or discarded by government or companies, discovers Stewart Mitchell

Britain's privacy laws might be enshrined in the Data Protection Act (DPA), but how much "protection" does it afford individuals who become the victims of ID theft when a government department carelessly loses discs containing millions of banking details or an unwiped company hard disk is sent for recycling? According to our investigations, next to none.

This week's loss of 25 million personal details by HM Customs is just the latest case of highly sensitive data being poorly handled. A prime example was exposed recently when a computer containing personal details and records of cancer patients turned up on Ebay, and yet the DPA appears powerless to force government or companies to accept their responsibilities.

"It's a muddled area and the DPA is failing to support the individual," says Jon Godfrey, managing director of recycling specialist LFS. "Data is not only lost and discarded but also traded, which is why hard drives that have been disposed of at local tips are turning up in Nigreria, and people have had their identities stolen from them."

Widespread problem

Organisations responsible for keeping data safe are frequently letting the public down. In a recent study at the University of Glamorgan, 300 used disks purchased from the UK, Australia and the US were tested and four out of ten contained sensitive data, such as salary details, financial data, bank and credit account details and visa applications.

Most of the disks came from companies that have a legal responsibility to properly dispose of all data under the Data Protection Act 1998. "The majority of disks come from corporations and they are supposed to recycle, but they usually pass this job onto resellers - waste management companies - and some are good and some are poor," claims Andrew Blyth who led the research at Glamorgan."A lot of them just format the hard drive, which does not mean the data is removed, and rely on the fact that there's little chance of anyone really going through the disks looking for information."

It's not only recycled PCs and laptops that are seeping personal data - mobile devices are covered by the same data protection laws as computers, but they're rarely wiped after being discarded. "The problem is worse with mobile phones and Blackberries," says Godfrey. "We're seeing that next to no-one is even thinking about clearing the memory on those, and that means emails, photos, PIN numbers and contact details are there for the next person who uses that phone."

The question for the public is what to do when data has been compromised? The first port of call is the Information Commissioner's Office (ICO), which can investigate and put pressure on offending organisations, but that won't repair any damages suffered, and the chances are that offending companies will face only a slap on the wrist.

"If it's personal information that's been released it could be a breach of Principle 7 of the DPA requiring that security is taken seriously," says Louise Townsend of IT specialist law firm Pinsent Masons. "But the ICO can't really hand out big fines. It can make them [offending companies] sign a compliance notice, but it's really about naming and shaming - there's not really a financial penalty."