Almost one in five businesses has unwittingly breached the Data Protection Act 1998 (DPA) at least, once according to a survey of “a nationally representative sample of 516 senior decision makers in small and medium businesses” conducted by BSI, the British Standards Institution. Of these, nearly half admitted to breaching the Act on several occasions, while an additional 18% said they were not sure whether they had or not [in this context, “breach” means “the illegal transfer of information to a third party, failure to hold information securely or neglect of other legal obligations”].
This survey, which seeks to reflect the way British businesses manage the personal information they hold on staff and customers, including sensitive data such as racial or ethnic origin, trade union membership and criminal proceedings, was carried out to mark the publication today of a new British Standard on data protection — BS 10012 — which is designed to help organisations put in place a framework for maintaining and improving compliance with data protection legislation and good practice. Among its other findings the survey reveals that
• 65% of businesses provide no data protection training for their staff.
• Nearly half of those surveyed admit that there is no one in their business with specific responsibility for data protection.
• 15% of businesses are not confident that their data sharing practices conform to the DPA and worryingly, almost 5% of these frequently share data regardless.
• 18% of businesses said that data protection is less of a priority in the current economic climate.
Mike Low, Director, Standards, BSI, is quoted as saying:
“The five million small and medium sized businesses in the UK form the backbone of the British economy. These organizations are handling vast amounts of personal information on a daily basis and while it is encouraging that some already have appropriate data protection measures in place this survey shows that there is still a long way to go”.
Gordon Wanless, Chairman of the Data Protection Forum, adds:
“BS 10012, launched by BSI today, is the first standard of its kind in the area of Data Protection and is expected to be used widely by both public and private sector organizations”.
The new British Standard (full name “BS 10012, Data protection – Specification for a personal information management system”) has been developed to establish best practice and aid compliance with data protection legislation. Rather than prescribing exactly how operations should be run, it offers a framework which will enable effective management of personal information. The idea is that it can be used by organizations of any size and sector to create a tailored management system which includes procedures in areas such as training and awareness, risk assessment, data-sharing, retention and disposal of data and disclosure to third parties.
BS 10012, was developed by a panel of experts including representatives from industry, government, academia and consumer groups. A three month public comment period produced a high number of comments all of which were considered by the panel before preparation of the final version of the standard.