Careless and inexcusable data lapses slammed by UK privacy chief

The Government and some of Britain's largest companies are guilty of "careless and inexcusable" data security lapses leading to serious breaches of privacy, the Information Commissioner has said.

In an impassioned attack on the failure of large organisations to take data protection seriously enough, the Commissioner, Richard Thomas, said that big business and government departments were not living up to their responsibilities.

"Over the last year we have seen far too many careless and inexcusable breaches of people’s personal information. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying," he said.

The Information Commissioner's Office (ICO) releases its annual report today. In the past year it has accused some of the UK's biggest names of breaching the Data Protection Act, including Nationwide Building Society, Orange, HBOS, The Post Office, Littlewoods, Barclays Bank, and the Royal Bank of Scotland.

"How can laptops holding details of customer accounts be used away from the office without strong encryption?" said Thomas. "How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?"

Thomas said that chief executives must take data protection and the privacy of customers and employees more seriously. The problem may not be at that level, though, according to Louise Townsend, a data protection expert at Pinsent Masons, the law firm behind OUT-LAW.COM.

"The examples he has given are horrifying examples, but I don't think it's the case that organisations don't take this seriously. I think the problem is they are not getting the message across to all the organisation," she said.

"The Commissioner talked about local branches of banks putting rubbish in bins with people's information in them; the big financial services companies do take this seriously and have compliance staff but they maybe need to have a look at how they communicate to all their staff and how they put rules into practice," said Townsend. "It's not about it not being taken seriously, it's about how it filters down."

The ICO says that the limited powers of the Commissioner make it difficult to police data protection effectively. It wants the power to audit organisations without their permission, and is lobbying for the creation of a two year jail sentence for people deliberately abusing personal data.

Greater powers could provide a more significant deterrent, said Townsend. "The people he mentions just had to sign undertakings which were put on his site, not pay a fine or face criminal prosecution. If they faced a £1 million fine like Nationawide did from the FSA then it might be taken more seriously than being put on the Commissioner's website and signing a piece of paper," she said.

The ICO said that it had now received 6,000 complaints and has issued 600 decision notices. It said that it had received 24,000 enquiries in the past year and has prosecuted 16 individuals and organisations in that time.