London, United Kingdom, March 08, 2009 --(PR.com
)-- As part of an investigation of the Guardian, the Information Commissioner’s Office closed down an investigating firm that was maintaining and selling data from an illegal database. Buyers of the information, which include some of the biggest construction firms in the UK, will also be prosecuted.
Yesterday David Smith, the deputy information commissioner, said: "This is a serious breach of the Data Protection Act. "Not only was personal information held on individuals without their knowledge or consent, but the very existence of the database was repeatedly denied [by the industry]. "The covert system enabled Mr Kerr to unlawfully trade personal information for many years, helping the construction industry to vet prospective employees. Kerr held information on thousands of construction workers and profited by checking names against his database."
“Companies have often shown a cavalier attitude on how they store, transmit and protect personal data” states Alexandra Kelly, Managing Director of pre-employment screening company Powerchex.
“Light sentences from the Information Commissioner, as well as a perceived impression that companies that break the code will not be prosecuted have resulted in a lax treatment of personal data including employee, customer and other such sensitive data.”
The Financial Services Authority, which regulates the UK financial services sector, recently issued a consultation paper to help firms ensure that they treat customer and employee data in a secure fashion.
Examples of good practice in terms of treating personal datas laid out in the report include:
· All customer/employee data to be disposed of securely using shredders or confidential waste bins
· Treating all data as confidential waste to eliminate confusion about which type of bin to use.
· Providing guidance for travelling or home-based staff on the secure disposal of customer data
· Conducting due diligence of data security standards at third-party suppliers before contracts are agreed
· Regular reviews of third party suppliers’ data security systems and controls
· Ensuring tht third-party suppliers’ vetting standards are adequate
· The use of secure internet links to transfer data to third parties
“Companies that handle personal data should make sure that third parties who process this data are also compliant with the Data Protection Act” says Kelly, “and of course, everyone must be registered with the Information Commissioner” she concludes.