News 

Britain's privacy laws might be enshrined in the Data Protection Act (DPA), but how much "protection" does it afford individuals who become the victims of ID theft when a government department carelessly loses discs containing millions of banking details or an unwiped company hard disk is sent for recycling? According to our investigations, next to none.

This week's loss of 25 million personal details by HM Customs is just the latest case of highly sensitive data being poorly handled. A prime example was exposed recently when a computer containing personal details and records of cancer patients turned up on Ebay, and yet the DPA appears powerless to force government or companies to accept their responsibilities.

"It's a muddled area and the DPA is failing to support the individual," says Jon Godfrey, managing director of recycling specialist LFS. "Data is not only lost and discarded but also traded, which is why hard drives that have been disposed of at local tips are turning up in Nigreria, and people have had their identities stolen from them."

Widespread problem

Organisations responsible for keeping data safe are frequently letting the public down. In a recent study at the University of Glamorgan, 300 used disks purchased from the UK, Australia and the US were tested and four out of ten contained sensitive data, such as salary details, financial data, bank and credit account details and visa applications.

Most of the disks came from companies that have a legal responsibility to properly dispose of all data under the Data Protection Act 1998. "The majority of disks come from corporations and they are supposed to recycle, but they usually pass this job onto resellers - waste management companies - and some are good and some are poor," claims Andrew Blyth who led the research at Glamorgan."A lot of them just format the hard drive, which does not mean the data is removed, and rely on the fact that there's little chance of anyone really going through the disks looking for information."

It's not only recycled PCs and laptops that are seeping personal data - mobile devices are covered by the same data protection laws as computers, but they're rarely wiped after being discarded. "The problem is worse with mobile phones and Blackberries," says Godfrey. "We're seeing that next to no-one is even thinking about clearing the memory on those, and that means

ADVERTISEMENT

emails, photos, PIN numbers and contact details are there for the next person who uses that phone."

The question for the public is what to do when data has been compromised? The first port of call is the Information Commissioner's Office (ICO), which can investigate and put pressure on offending organisations, but that won't repair any damages suffered, and the chances are that offending companies will face only a slap on the wrist.

"If it's personal information that's been released it could be a breach of Principle 7 of the DPA requiring that security is taken seriously," says Louise Townsend of IT specialist law firm Pinsent Masons. "But the ICO can't really hand out big fines. It can make them [offending companies] sign a compliance notice, but it's really about naming and shaming - there's not really a financial penalty."

You could seek financial recompense through the courts, but legal experts warn this is a high-risk strategy. "You can complain to the Information Commissioner's Officer, but if you can show you have suffered damages then you could bring a court case," she adds. "You can bring a case yourself but that is quite rare because you have to pay for all the costs, and if it's a big company it's too daunting for the man in the street." Even the ICO has yet to take a company to court for non-compliance, let alone the government.

In the dark

Of course, most people don't even know their data has been leaked by a company - normally because the data doesn't fall into the wrong hands. But even if companies do become aware of a data breach, they have no legal obligation to confess to the problem or even contact the individuals affected - even though swift action could allow potential victims to change passwords on accounts. "We would say best practice would be to come forward for advice, and many have, but they don't have to," says a spokesperson for the ICO. Indeed, the Chancellor waited six days before even informing the banks of the missing child benefit discs. "We'd like to see the rules changed," adds the spokesman.

However, given the choice of coming forward and risking the damage to reputation and bank balance, or keeping mum and hoping the data breach is never discovered, it's not surprising that most organisations opt for the latter. "It's like when companies get hacked," says Blyth of Glamorgan University. "Most will say 'Disk, what disk?'. Unless it comes to light and they have to respond, there is no advantage in coming forward."

The best defence is obviously not to lose data, and for most companies that means carefully monitoring firms contracted to dispose of old hardware. "You have to say that you reserve the right to do spot checks and snap inspections, and if it doesn't conform they are in breach of contract," says Blyth.

Until such checks become commonplace, the only thing really being breached is your privacy.