Share this content

Businesses breaching data protection act

2nd Jun 2009
Share this content

Almost one in five businesses has unwittingly breached the data protection act at least once, according to a study by BSI.

The survey questioned over 500 UK SMEs on how they managed personal information on staff and customers, including sensitive data such as racial or ethnic origin, trade union membership and criminal proceedings.

Nearly half admitted that there is no one in their business with specific responsibility for data protection, while 65% said they offered no data protection training for their staff.

Of those questioned, 15% said they were not confident that their data sharing practices conform to the data protection act and almost 5% of these frequently share data regardless.
With many firms struggling under financial pressure, 18% said data protection was less of a priority in the current economic climate.

“The BSI survey backs up what we have known for some time – that many organisations find the legislation in this area complex. The standard can help organisations put in place the measures which will lead to compliance and demonstrate that they are handling personal information responsibly”, said Gordon Wanless, chairman of the Data Protection Forum.

BSI recently launched the new British Standard, BS10012, Data protection – Specification for a personal information management system, which was developed to establish best practice and aid compliance with data protection legislation. It is the first standard for the management of personal information.

Rather than prescribing exactly how operations should be run, BS 10012 provides a framework to enable effective management of personal information. It can be used by organisations of any size and sector to create a tailored management system which includes procedures in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties.

For further information on BS 10012 visit .


You might also be interested in

Replies (2)

Please login or register to join the discussion.

By AnonymousUser
16th Jun 2009 16:16

Data retention
I've found one of the better ways is not to retain data - at least not on the main systems - that is no longer needed.

Personal information from customer profiling surveys or similar can be moved off to an archive once the statistics are run, and the individual details are no longer required. An archive can have much more limited access, both physically or by network controls, and a firewall will reduce the risk of data theft if someone does get into the main network.

Synergy Connections - Telephone Surveys, Telemarketing and data cleaning

Thanks (0)
By mbrindley
04th Jun 2009 16:44

Need to find where the holes are before you can plug them
It’s no wonder that almost one in five businesses in the UK has breached the Data Protection Act (DPA) at least once, in fact in reality it is probably more than that. Recent research we have undertaken ourselves shows how a large proportion of IT managers are largely unaware of which employees have access to which systems. If you don’t know who has access to your system that how do you know that you are plugging all the potential holes? The time for over confidence has passed. It is important for IT Managers to start undertaking regular audits of their systems, ensuring that employees have access to only the information they need to do their jobs. Otherwise the DPA will continue to be breached, whether accidently or through malicious intent.

Thanks (0)