Catalogue of data security breaches highlighted

Companies and other bodies needed to take the security of personal information seriously, warned the Information Commissioner, who highlighted a number of high profile examples of breaches in his annual report.

Richard Thomas commented: "The roll call of banks, retailers, Government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying.

"My message to those at the top of organisations is to respect the privacy of individuals and the integrity of the information held about them, to embrace data protection positively and to be sure you are not the business or political leader who failed to take information rights seriously."

The Information Commissioner's Office (ICO) received nearly 24,000 enquiries and complaints about personal information issues in 2006-07, according to the annual report.

Questionable practices

Earlier this year, following an ICO investigation into complaints concerning the disposal of customer information, eleven banks were found to be in breach of the Data Protection Act.

Other cases had involved staff at call centres sharing log-in details, and a major retailer - whose data centre was hacked and customer information stolen. Government departments were also criticised.

Listing the catalogue of security breaches, Mr Thomas said: "How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others' forms?

"How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?"

Stronger powers

According to the ICO's 2006-07 annual report, 56.45% of the data protection cases it received required only advice and guidance.

The watchdog thought a breach was likely to have happened in 35% of cases, of which 77% resulted in remedial action. Internet firms generated most complaints at 13% of the total, closely followed by lenders at 12%, direct marketing at 10% and telecoms at 7%.

Nigel Evans MP, chairman of the All Party Parliamentary Group on Identity Fraud, backed calls for the Information Commissioner's Office to be given stronger audit and inspection powers.

"The Government has a responsibility to ensure that the appropriate resources are provided to all authorities involved with data protection and identity fraud," he said.

"Identity fraud is a real and growing problem in the UK. It is the responsibility of all parties, Government, businesses and individuals, to ensure that personal information is protected."