The Information Commissioner's Office has criticised some of the UK's largest companies for a range of security breaches over the past year, calling the lapses in privacy "unacceptable".
Information commissioner Richard Thomas urged the companies' chief executive officers to raise their game. Orange, Barclays and NatWest were among those criticised for security and privacy breaches in the Information Commissioner's Office's (ICO) annual report for 2007, which was released on Wednesday.
"Over the last year, we have seen far too many careless and inexcusable breaches of people's personal information," said Thomas at the launch of the annual report in London. "The roll call of banks, retailers, government departments, public bodies and other organisations that have admitted serious security lapses is frankly horrifying."
"How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each other's forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured, in non-confidential waste bags?" Thomas asked.
Although the majority of organisations process personal information appropriately, privacy must be given more priority in every UK boardroom, according to Thomas. "Organisations that fail to process personal information in line with the principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers," he said.
The ICO also called for stronger audit and inspection powers. Currently the ICO can only audit organisations' information-handling practices with their consent. The information commissioner wants the right to inspect and audit organisations where poor practice is suspected.
The ICO received almost 24,000 enquiries and complaints concerning personal information in 2006/07, and prosecuted 16 individuals and organisations for data-protection transgressions.