The Ponemon Institute has published its latest 2009 instalment of its UK Annual Study: Cost of a Data Breach (a US version is also available). So what has changed since last year?

Well, there has been a general decline in media interest in and exposure of data breaches of late, so does this have an impact on the cost of losing data? The answer is a resounding "no". Although average institutional costs of a data breach decreased nearly 3% over 2009, the average cost per compromised record rose 7% to £64. However, generally costs of detection, escalation and notification have decreased.

More notably there has been recorded, for the first time, a decrease in lost business as a result of a data breach. This an be partly explained by the increase in government organisations taking part in the study, as the cost … Continue Reading ››

Datonomy readers could be forgiven for having missed the fact that yesterday was the EU's 4th annual "Data Protection Day" - especially since Datonomy itself is a day late!

To mark the occasion, the EU's Commissioner for Media and Information Society Viviane Reding promised the world of data protection a very special birthday treat - namely, much-awaited reform of 1995 EU Data Protection Directive. In a press release the Commissioner emphasised the need for data protection rules to keep up with the challenges of new technology in the decade ahead. The privacy challenges posed by social networking and online behavioural advertising got a specific mention. The press release recaps on the Commission's privacy related achievements during 2009, but is disappointingly light on the detail of the promised reforms to come.

During the second half of last year, as reported on Datonomy, the Commission … Continue Reading ››

Datonomite Rosie recently became a trustee of a wonderful little charity called Livlife. In the process of her new role as trustee, she as been learning all about the world of data protection and the way in which it relates to charities. It is a little known fact that not all organisations are required to notify under the Data Protection Act. Charities (and other not for profit organisations) are one of the main exceptions.

The key factors in determining whether or not a charity is required to notify are these:
(i) Do the charity's objects state that it is "not for profit";
(ii) Is the information is collected in order to reach the charity's objectives?
(iii) Is the collected information not passed outside of the charity's objectives?
(iv) Does the charity have regular … Continue Reading ››
FoI and Data Protection have separate and disparate origins, but both have emerged into a culture which in some respects subdues or subverts the effects they were intended to achieve.

FoI has its origins in Constitutional Reform, and was implemented in some countries well before the UK. Open Government is the objective, and better government because more open. Transparency is all. But in spite of the big objectives, in many ways the general culture was there much earlier. In the UK, FoI was behind the cultural times rather than in front of them.

Postmodern culture, the dominant cultural movement of the second part of the 20th century, is essentially about transparency and democratic openness. Take the Centre Pompidou, where the insides are on the outside, as a presiding motif. Take with it the playful rejection of seriousness, of the idea that there is a big truth somewhere, some … Continue Reading ››
Reporting your company or fellow employees is not a topic that is often discussed in polite circles. Someone who takes what they believe to be a moral stand and reports suspicious behaviour can be seen as disgruntled or stirring up trouble or, to put it another way, as a "snitch". Sadly, outside the Harry Potter context, a snitch is not generally seen as a positive descriptor and, like the golden snitch, the reporting of another's behaviour may result more in a chase to catch the person who has reported a problem than to rectify the problem itself.

However, whistleblowing can be vital for companies in understanding where internal problems may lie and in avoiding potentially costly litigation or bad publicity as a result of the actions of a few individuals. Datonomy provides the following information for the benefit of both the whistleblower, the … Continue Reading ››
The ICO has confirmed that new powers to impose fines of up to £500,000 for serious breaches of the DPA will come into force on 6 April. And the Commissioner has said he will not hesitate to use them for the most serious cases. Responsible data controllers who follow good data protection practice should have nothing to fear, however. The Commissioner's Office has published statutory guidance explaining how it will use its new powers, and how to stay out of trouble!
The new powers are to be found in the recently added section 55A of the DPA (introduced by section 144 of the Criminal Justice and Immigration Act 2008) and will apply to serious breaches of the Act which are likely to cause substantial damage or distress, and which are committed deliberately or recklessly.
As well as explaining the procedural aspects of … Continue Reading ››
In the UK the House of Commons Treasury Committee has reported the findings of its recent inquiry into the adverse effect of consumer credit searches. These include recommendations which, if implemented, could significantly change the way lenders conduct credit searches on potential borrowers.

The Committee inquiry into credit searches originated from fears that consumers, by shopping around for credit (especially unsecured credit), were unknowingly building up credit application searches on their credit reference files, making it harder for them to obtain further credit. This inquiry, which is part of a wider review on the impact of the banking crisis on the consumer, seeks to balance (i) the public interest in preventing fraud and protecting consumers from reckless lending with (ii) the need to "ensure that the market is subject to the disciplines of informed consumer … Continue Reading ››