To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://comment.silicon.com/0,39024711,11019099,00.htm

The Data Protection Commissioner - what all the fuss is about
The UK Data Protection Commissioner (DPC) has been in the spotlight this week as consumers and organisations call for action over recent security breaches. With the list of accidents and incidents lengthening Sally Watson argues that the DPC is out of its depth...

By Sally Watson

Published: Tuesday 15 August 2000

We've all heard plenty of hype about how safe online shopping is - we've read the leaflets, seen the TV adverts and heard it on the radio. But the proof, as they say, is in the pudding.

Barclays, CD Universe, Oxfam, Powergen, Safeway - as the list of online data breaches gets longer, so consumer confidence in ecommerce diminishes.

But consumers are notoriously fickle creatures. And although it may look bad for the e-tailers at the moment, if customers are given the right reassurances they'll soon happily return online, brandishing a fist full of credit cards.

But who can restore this confidence? Certainly not vendors or retailers, and, if you believe the Department of Trade & Industry, not the government. No, the buck stops firmly outside the door of the Office of the Data Protection Commissioner.

The DPC is the independent watchdog charged with promoting good handling of personal data and ensuring compliance with the Data Protection Act 1998. Any company or organisation handling personal data (names, addresses, credit card details) must notify the DPC of its actions.

All well and good so far. But what happens when things go wrong?

Consumers worried about the misuse of personal details can complain to the Commissioner - something 4,570 people did last year. If the Commissioner feels there is sufficient cause for complaint it will investigate, which it did in 1,812 cases - including 587 visits to company premises. Of those cases 130 lead to prosecutions.

But not one involved ecommerce security.

When Powergen left over 2,500 customer details unprotected on its website - and then refused to inform the consumers involved - the DPC's compliance manager Lorraine Godkin told silicon.com the situation couldn't be treated with urgency.

"There's a three to four week backlog on these complaints so it's difficult to say when this might be addressed," she said.

According to Robert Dirskovski, board secretary of TrustUK, that's an unacceptable delay.
"I'm surprised the DPC said the Powergen case would have to take its place in the queue - this should be given special priority. I do believe the commissioner needs to have support and if she says she doesn't have it, she must be given it," Dirskovski added.
But does the Commissioner have the resources it needs to respond? In its annual survey published last month, the DPC admitted it recruits at the lowest point in the possible pay range - when other local employers are offering increased salaries.
Commissioner Elizabeth France also admitted amongst current staff the "lack of progression within pay ranges has been a growing issue during the year".

Martin Brampton, operations director at Bloor Research, believes the DPC can't handle enforcement. He said: "I think Elizabeth France makes some very sensible comments about data protection, but I don't think her office has the capacity to enforce the law. It doesn't seem much of a match for the large companies that are breaking the law."

The DTI's Information Security Survey published in April claimed 60 per cent of British companies have suffered a security lapse in the last two years - and of those, 64 per cent failed to change their security policy after the event.

Can a watchdog with an annual budget of £5m and a staff of 100 handle this kind of pressure? Compare it with its older cousin, the Health & Safety Executive -which with 4,200 staff and a budget of £178m last year investigated 32,000 complaints and brought 1,550 prosecutions - and you get an idea of the kind of resources required.

Last year the DPC failed in its bid for government money to improve its IT infrastructure - a long-term investment impossible on the relatively small amount of funding it currently receives. So for now, it will have to get by on what it has - including a miserly two external email addresses - while data protection, and ecommerce, lurch forward.

For related news see:
'silicon.com launches Back the Act campaign' http://www.silicon.com/a39096