ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Disaster recovery Toolkit

Talkback

Post a comment


Story: CIOs: UK data laws unfit for purpose

  • Previous comment

Posted by: achieve (Tuesday 27 November 2007, 9:51 AM)

  • Reply

Overhaul the Laws and Enforce Them!

"The data-protection laws are fine — it's HMRC that's not 'fit for purpose."

My experience shows that the laws are flimsy and easily side-stepped. After all, the Data Protection Act requires organisations to take "all reasonable technological" measures. What's reasonable?

Further, without greater penalties, more data leaks will follow. As it is, the Information Commissioner's Office can only regulate, not enforce, the Data Protection Act.

Some recent experiences will serve to illustrate some of the problems:

1. Looking for an accountant in Scotland who had basic information security practices in place, I went through 9 firms - some of them on the large side -- before I found one that measured up. Some had in-house IT people, some had consultants, some had ad hoc arrangements. The criteria: offsite and encrypted backup, no data leaving the office unencrypted, and access logs to provide an audit trail. Pretty simple, right? The vast majority of firms are using CDs; those that aren't are still on tape held either on-site or in the residence of a partner! Most think nothing of sending tax returns and E-O-Y accounts around the world as an unencrypted PDF document. Many had no access restrictions, and most had no access logging; anyone could access anything at anytime and no one would be the wiser. When I asked what guidelines ICAS gave them, most of them did not know. One flat out told me: nothing.

2. The above situation came about because my present accountant has none of the above. He is a senior partner in a three-office firm with over 1000 clients. His idea of backup is storing a DVD in a safe. "It's bomb-proof," he says.

3. Perhaps the scariest experience of late that underscores for me the poor enforcement of information security laws involves a company I recently heard about. Among the tasks they perform is listening to customer service conversations for insurance companies to ensure compliance. In the process, credit card details and other personal information would be routinely given.

Naturally, this work is outsourced. But rather than spend money on a system with proper access controls and logging, they have given the login information to their workers. Their hired-hands now have access to the entire store of phone conversations. This would have been bad enough if all of their workers lived within the UK or the EU. But one of them just moved to South Africa! When I spoke to someone I know who works for the company, I was told that everyone signed 'privacy agreements' and that was enough. Nevermind the fact that the worker's computer could go missing and take personal UK consumer information with it.

Consequently, there will only be more data breaches and these on an ever-increasing scale. Clearly, the UK government is not taking it seriously enough. But that's not all. A recent study found that the average Briton would have to have their identity stolen twice before he or she considered changing their data security habits. The only hope I see of getting everyone on the same page is a combination of stringent standards and hefty fines. But then HMRC would have to pay, as well.

View complete profile

Private message disabled

View all posts

achieve

achieve
Department Head / Director, Edinburgh
Member since: November 2007

Site Activity Rating:

1

 


  • Previous comment

  • Reply to this comment
  • Return to story
  • Report this as offensive


Full Talkback thread

More In Disaster recovery