1-in-5 businesses admit to breaching the Data Protection Act
Almost one in five businesses has unwittingly breached the Data Protection Act (DPA) at least once according to a recent survey of over 500 small and medium sized businesses. Of these, nearly half said they had probably breached the Act on several occasions.
A further additional 18% of SMEs are not sure whether they had breached the DPA or not. A ‘breach’ could refer to the illegal transfer of information to a third party, failure to hold information securely or neglect of other legal obligations.
The research, conducted by BSI*, provides a snapshot of how UK businesses manage the personal information they hold on staff and customers, including sensitive data such as racial or ethnic origin, trade union membership and criminal proceedings.
It was carried out to mark the publication today, 2 June 2009, by BSI of a new British Standard which will help organisations put in place a framework for maintaining and improving compliance with data protection legislation and best practice. “Data protection – Specification for a personal information management system” is the first Standard for the management of personal information and is launched at today’s Data Protection Forum in London.
The research also found that:
- 65% of businesses provide no data protection training for their staff.
- Nearly half of those businesses surveyed admit that there is no one in their business with specific responsibility for data protection.
- 15% of businesses are not confident that their data sharing practices conform to the DPA and worryingly, almost 5% of these frequently share data regardless.
- 18% of businesses said that data protection is less of a priority in the current economic climate.
Mike Low, Director, Standards, BSI, said: “The 5 million small and medium sized businesses in the UK form the backbone of the British economy. These organisations are handling vast amounts of personal information on a daily basis and while it is encouraging that some already have appropriate data protection measures in place this survey clearly shows that there is still a long way to go.
“A third of businesses stated that the complexity of the legislation restricts their compliance with the DPA. The new standard addresses this and many other issues, providing organisations with a framework for maintaining and improving compliance and demonstrating that they are handling personal information responsibly.”
Rather than prescribing exactly how operations should be run, the new Standard, BS 10012, provides the framework which will enable effective management of personal information. It can be used by organisations of any size and sector to create a tailored management system which includes procedures in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties.
BS 10012 was developed by a panel of experts including representatives from industry, government, academia and consumer groups. A three month public comment period produced a high number of comments all of which were considered by the panel before preparation of the final version of the standard.
* The research was conducted on behalf of BSI by Opinion Matters between 11/05/2009 and 18/05/2009 amongst a nationally representative sample of 516 Senior Decision Makers in SMEs.
Additional Information - BSI
BSI – www.bsigroup.com - is a global independent business services organisation that inspires confidence and delivers assurance to over 80,000 customers with standards-based solutions. Originating as the world’s first national standards body, BSI has over 2,400 staff operating in over 120 countries through more than 50 global offices. BSI’s key offerings are:
- The development and sale of private, national and international standards and supporting information that promote and share best practice
- Second and third-party management systems assessment and certification in all critical areas of management disciplines
- Testing and certification of services and products for Kitemark and CE marking to UK, European and International standards. BSI is a Notified Body for 17 New Approach EU Directives
- Certification of high-risk, complex medical devices
- Performance management software solutions
- Training services in support of standards implementation and business best practice.
Additional Information - Data Protection Forum
- The Data Protection Forum provides a focus for the collection, formulation, exchange and communication of ideas and information on data protection, freedom of information and related topics.
- The Data Protection Forum is an association of over 270 members from more than 120 public and private sector companies and organisations. These encompass financial services, retail, law, accountancy, consultancy, marketing, travel and insurance from the private sector, as well as charities and public sector organisations such as the police, local authorities, central government, health and universities.
For further information please visit www.dpforum.org.uk
For more information see our article Understanding the Data Protection Act
1-in-5 businesses admit to breaching the Data Protection Act
Almost one in five businesses has unwittingly breached the Data Protection Act (DPA) at least once according to a recent survey of over 500 small and medium sized businesses. Of these, nearly half said they had probably breached the Act on several occasions.
A further additional 18% of SMEs are not sure whether they had breached the DPA or not. A ‘breach’ could refer to the illegal transfer of information to a third party, failure to hold information securely or neglect of other legal obligations.
The research, conducted by BSI*, provides a snapshot of how UK businesses manage the personal information they hold on staff and customers, including sensitive data such as racial or ethnic origin, trade union membership and criminal proceedings.
It was carried out to mark the publication today, 2 June 2009, by BSI of a new British Standard which will help organisations put in place a framework for maintaining and improving compliance with data protection legislation and best practice. “Data protection – Specification for a personal information management system” is the first Standard for the management of personal information and is launched at today’s Data Protection Forum in London.
The research also found that:
- 65% of businesses provide no data protection training for their staff.
- Nearly half of those businesses surveyed admit that there is no one in their business with specific responsibility for data protection.
- 15% of businesses are not confident that their data sharing practices conform to the DPA and worryingly, almost 5% of these frequently share data regardless.
- 18% of businesses said that data protection is less of a priority in the current economic climate.
Mike Low, Director, Standards, BSI, said: “The 5 million small and medium sized businesses in the UK form the backbone of the British economy. These organisations are handling vast amounts of personal information on a daily basis and while it is encouraging that some already have appropriate data protection measures in place this survey clearly shows that there is still a long way to go.
“A third of businesses stated that the complexity of the legislation restricts their compliance with the DPA. The new standard addresses this and many other issues, providing organisations with a framework for maintaining and improving compliance and demonstrating that they are handling personal information responsibly.”
Rather than prescribing exactly how operations should be run, the new Standard, BS 10012, provides the framework which will enable effective management of personal information. It can be used by organisations of any size and sector to create a tailored management system which includes procedures in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties.
BS 10012 was developed by a panel of experts including representatives from industry, government, academia and consumer groups. A three month public comment period produced a high number of comments all of which were considered by the panel before preparation of the final version of the standard.
* The research was conducted on behalf of BSI by Opinion Matters between 11/05/2009 and 18/05/2009 amongst a nationally representative sample of 516 Senior Decision Makers in SMEs.
Additional Information - BSI
BSI – www.bsigroup.com - is a global independent business services organisation that inspires confidence and delivers assurance to over 80,000 customers with standards-based solutions. Originating as the world’s first national standards body, BSI has over 2,400 staff operating in over 120 countries through more than 50 global offices. BSI’s key offerings are:
- The development and sale of private, national and international standards and supporting information that promote and share best practice
- Second and third-party management systems assessment and certification in all critical areas of management disciplines
- Testing and certification of services and products for Kitemark and CE marking to UK, European and International standards. BSI is a Notified Body for 17 New Approach EU Directives
- Certification of high-risk, complex medical devices
- Performance management software solutions
- Training services in support of standards implementation and business best practice.
Additional Information - Data Protection Forum
- The Data Protection Forum provides a focus for the collection, formulation, exchange and communication of ideas and information on data protection, freedom of information and related topics.
- The Data Protection Forum is an association of over 270 members from more than 120 public and private sector companies and organisations. These encompass financial services, retail, law, accountancy, consultancy, marketing, travel and insurance from the private sector, as well as charities and public sector organisations such as the police, local authorities, central government, health and universities.
For further information please visit www.dpforum.org.uk
For more information see our article Understanding the Data Protection Act
|