BCS attempts cultural shift in data protection

The British Computer Society has launched a data-protection code of practice aimed at getting the public and private sectors to take better care of sensitive information.

The Personal data guardianship code, launched on Monday by BCS in conjunction with the Information Security Awareness Forum (ISAF), is an effort to change how organisations handle personal data.

The code has been given momentum by numerous highly publicised data breaches in the past two years, including the loss of 25 million child benefit-claimant records by HM Revenue & Customs in 2007.

Louise Bennett, BCS chair of the security forum strategic panel, told ZDNet UK on Monday that the government, in particular, needs to understand the principles of data protection. Government departments must also now instigate cultural change following the breaches, so people will automatically take privacy principles into account when embarking on public-sector projects.

"The hardest thing when looking at the data breaches was how you do an effective culture change," said Bennet. "We've produced sheets which go into precisely what the responsibilities of data controllers should be, the roles and responsibilities of data handlers and the rights of data subjects, with examples that can be tailored to the institution."

Bennett added that the government's plans for more e-enablement for citizens, which are grouped under the rubric 'Transformational Government', have not been properly thought through in terms of technological feasibility and impact on privacy.

"There's a vast amount of work to be done in terms of data-sharing," said Bennett. "[The government] totally underestimates the problems of cleansing data and effectively disposing of it when time has expired."

Assistant information commissioner Jonathon Bamford, the director of data-protection development at the Information Commissioner's Office, said that while the privacy regulator has produced its own guidelines, the BCS initiative was also needed.

"We do provide a lot of guidance, but that comes from a regulator. The BCS guidance comes from the people at the sharp end," Bamford told ZDNet UK. "It sends a message we can't deliver. You'd expect the ICO to say that organisations' reputations are at risk from data breaches, but when they are faced with the BCS saying it, it's different."

The Personal Data Guardianship Code has gone through a lengthy drafting process, the eventual code being the outcome of approximately two years' work by the BCS.