Sunday, 17 January 2010

Checking up on the “Personal Information Promise”

This time last year, just before International Data Protection Day 2009, I was among a small group of people who were approached by the Information Commissioner’s Office and asked whether I would support this initiative. On the day itself, a photo call at One Great George Street recorded the small band of people who had been able to get their Chief Executives to agree to associate themselves with it. I was able to present ours to Richard Thomas, the then Information Commissioner. The evening before the photo call, I had been in deepest Stoke Newington calling on an emergency calligrapher (yes, such people exist – it’s not just your plumbing that you may need sorted out 24 hours a day) making sure that the certificates, having been duly signed by the boss, had the right corporate name on them.

I was so keen for our company to be among the first to sign up that I actually forgot to ensure that the right date was appended to the certificate – so ours is actually dated the day before International Data Protection Day 2009. Accordingly, my formal “claim to fame” is that my company was the “first” to have signed the promise. If anyone has documentary evidence of another Chief Executive’s signature on an official ICO certificates which is dated before 28 January 2009 then I’ll eat (a section) of my copy of the Data Protection Act.

Given the 10th "Personal Information Promise", I thought I might just as well have a quick review of all of the promises to see if I have acted or behaved differently over the last year as a result of the initiative. After all, that small band of signatories has grown to an army of several thousand, and it might not be too long before someone asks for evidence of compliance or behavioural change.

So here we go.

on behalf of
promise that we will:

1.Value the personal information entrusted to us and make sure we respect that trust;

Some improvements here. I think I’ve always tried to value the stuff. But a tsunami of intensive media coverage about corporate data breaches has really focussed corporate minds on the need to respect personal information.

2. Go further than just the letter of the law when it comes to handling personal information, and adopt good practice standards;

Not much change here, as I’ve always aimed to adopt good practice standards.

3. Consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems;

Not much change here, as I always make privacy impact assessments. I don't always write them down, but it's my job to think about the privacy implications of everything the business does. Thankfully, given a security review following the breach tsunami (see promise 1 above), even more people within the company now follow the established rules, which are to involve me at an early stage of product development.

4. Be open with individuals about how we use their information and who we give it to;

Not much change here, as I’ve always aimed to adopt good practice standards.

5. Make it easy for individuals to access and correct their personal information;

Not much change here, as I’ve always aimed to adopt good administrative standards. Of course there are the odd slip ups – mostly in ensuring that the credit reference agencies get the correct updates about an individual’s credit history. But on the whole I feel my team does a really excellent job. If it didn’t then I would have expected to have received many more letters of complaint from the case handlers at Wilmslow.

6. Keep personal information to the minimum necessary and delete it when we no longer need it;

Not much change here, as I’ve always aimed to adopt good retention standards. I’ve worked hard behind the scenes, given evidence to a Parliamentary Committee, assisted a “People’s Enquiry”, and even been quoted in "The Register" and “The Daily Mail” on the problems faced by companies such as the one I work for when tensions arise as we want to delete records, but others want them retained on the basis that they might come in useful to someone sometime in the future. And this issue will remain just as important this year as it did last year. I can see myself spending a lot of time this year at the Home Office, with various law enforcement agency representatives, and traipsing around the corridors within Parliament and Portcullis House, as I try to get those who matter to fully appreciate the consequences of what they think they believe in.

7. Have effective safeguards in place to make sure personal informationis kept securely and does not fall into the wrong hands;

I try. I really do try. And, thanks to the breach tsunami, lots more people within the company are trying too, and more resources have been provided to ensure that we can maintain a level of security that is commensurate with this promise.

8. Provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don’t look after personal information properly;

Oh yes. Plenty of training going on around here. And I’ve developed guidance for managers to assist them when their reports can’t meet the standards that are both expected of them and also which they have acknowledged they should meet.

9. Put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises;

Oh yes – thanks to the breach tsunami, resources are not that hard to come by any more. Even in a recession.

10. Regularly check that we are living up to our promises and report on how we are doing.
Oh yes – and how’s this report, for starters?

So I claim another first –I believe this to be the first annual review of a Data Protection Promise.
And again, if anyone has documentary evidence of an earlier annual review, then I’ll eat (yet another section) of my copy of the Data Protection Act.