Business Crime Reduction Partnerships survey

The Information Commissioner’s Office (ICO) would like to get more help to Business Crime Reduction Partnerships.

We have recently done some work with the National Association of Business Crime Partnerships (NABCP) regarding data protection and practices but we would also like to reach other independent partnerships within this sector.

We would like to know more about the issues you face and invite you to complete a short BCRP survey which will help us to gauge your views.

Please share the survey with as many staff who handle personal data as possible, requesting that they also complete it.

The survey will take around 15 minutes to complete. All answers are anonymous and confidential. Responses will be analysed by the ICO and statistical information will be used in a final outcomes report to be published on the ICO website and made available to all partnerships.

In addition to this the ICO offers a free advisory visits service to help improve your practices. 

Where possible, we like to educate organisations about their data protection obligations but the consequences for breaking the rules can be serious. The loss, damage or unlawful disclosure of personal information can seriously undermine public trust in your business and in the worst cases, lead to fines of up to £500,000.

Data protection rights: What the public want and what the public want from Data Protection Authorities

This paper draws together common themes from pan European research, along with research conducted in the UK and the Commissioner’s own experience of these themes. To supplement the findings from the secondary research the Information Commissioner also commissioned a small amount of primary research to understand the public’s views on privacy and data security in relation to use of the internet. It was produced by the Information Commissioner to provoke discussion and debate at the European Conference of Data Protection Authorities which took place in Manchester on 18-20 May 2015, hosted by the ICO.

Data protection rights research: What the public want and what the public want from Data Protection Authorities

Review of the impact of the ICO’s civil monetary penalties 

Since April 2010 the Information Commissioner’s Office has been able to issue civil monetary penalty notices of up to £500,000 for serious breaches of the Data Protection Act. And since May 2011 serious breaches of the Privacy and Electronic Communications Regulations (PECR).

In February 2014 we commissioned research into the impact of CMPs. The research consisted of telephone interviews with 14 organisations that had received a CMP and 85 peer organisations in the same sectors who had not received a CMP.

Our review collates the results of the research, including our findings, the organisations’ concerns and our conclusions. We have also produced a video summary of the results.

Review of the impact of ICO civil monetary penalties (pdf)
SPA Future Thinking presentation (pdf)

View the presentation on YouTube


Implications of the European Commission’s proposal for a general data protection regulation for business

The ICO has published a report on the European Commission’s proposal for a General Data Protection Regulation and the implications for business (pdf), which it commissioned from London Economics. The research adds to the evidence base by shedding light on the level of uncertainty that exists within the UK business population regarding the scope of the Regulation and its cost impact. The report:

  • confirms that a lack of understanding about the provisions in the draft Regulation persists across business;
  • reveals that businesses are unable to reliably cost their current expenditure in relation to their data protection responsibilities – and that this persists in relation to costs estimates for future spending under the new proposals. This uncertainty indicates that the available data on the net financial impact of the proposed Regulation are questionable and furthermore, difficult to corroborate.
  • the lack of understanding indicates that there is a key role for the ICO to play in educating and supporting UK businesses to better understand their future data protection obligations.

Processing of personal information on personal devices for work purposes: survey

The ICO commissioned an online survey about the processing of personal information on personal devices for work purposes. The survey, carried out by YouGov (pdf), reveals that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But less than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity.

We have published 'bring your own device' (BYOD) guidance (pdf) explaining some of the risks organisations must consider when allowing personal devices to be used to process work-related personal information. The guidance explains how this approach can be adopted safely and in a manner that complies with the Data Protection Act.

Integrating PIA with project and risk management

The Information Commissioner would like to improve integration between Privacy Impact Assessments (PIAs) and existing project and risk management processes. He has recently appointed Trilateral Research & Consulting to look into this and produce a report containing practical suggestions on how integration could be realised.

To this end, he would be grateful if you could consider six questions (pdf) and if it’s appropriate send your responses to Dr Monica

Privacy Impact Assessment (PIA) is a tool promoted by the ICO to assist organisations with assessing and reducing privacy risks posed by new projects and data processing activities. In 2007, the ICO published a PIA Handbook, providing an overview of its methodology and further guidance for organisations carrying out PIAs. A revised version of the handbook (pdf) was published in 2009.

Cloud computing: online survey

The ICO have commissioned an online survey about Cloud Computing. The survey, which was carried out online by YouGov, has revealed that 46% of UK adults online who use cloud storage are concerned about the security of their information in cloud storage. The survey also found that only 39% of adults online realised that social media used cloud storage to store personal data, while 46% did not realise that by hosting their information on cloud servers, their information could be being stored anywhere in the world.

The ICO has also produced new cloud guidance for businesses (pdf) to underline that companies remain responsible for how personal data is looked after, even if they pass it to cloud network providers.

View the YouGov survey: PDF version / Excel version

Deleting your data

ICO seminar on privacy and data anonymisation

The ICO seminar on privacy and data anonymisation was held in London on Wednesday 30 March 2011. Leading experts presented different approaches to, and perspectives on, this complex subject. The seminar looked at current practice, the risks associated with anonymisation and possible solutions for the future.

Presentations were followed by a facilitated plenary session which allowed speakers and audience members to discuss the issues in greater detail. A report of proceedings is available below, in addition to the conference programme and copies of the speakers’ slides.

Seminar report

Seminar programme

From Data to Health
Sir Mark Walport, Director, The Wellcome Trust

Anonymisation as Disclosure Avoidance
Dr Mark Elliot, University of Manchester

Transparency – Opening Up Government
Nicola Westmore, Cabinet Office

Privacy, Deanonymisation and Transparency
Dr Kieron O’Hara, University of Southampton

Balancing Risk and Utility – Experiences in Official Statistics
Dr Marie Cruddas, Office for National Statistics

Protecting Privacy After The Failure of Anonymisation
Professor Paul Ohm, University of Colorado

Anonymity in Market, Social and Opinion Research
Barry Ryan, Market Research Society

Wi-Fi Settings: online survey

The ICO have commissioned an online survey about Wi-Fi security in the home. The survey, which was carried out online by YouGov, has revealed that 40% of people who have Wi-Fi at home do not understand how to change the security settings on their wireless (Wi-Fi) networks, while 16% of people are either unsure or are already aware that they are using an unsecured network.

The ICO is calling for Internet Service Providers (ISPs), retailers and manufacturers to make sure the guidance supplied with their Wi-Fi equipment is clear to the end user and fully explains the risks of people using an unsecured connection. 

The ICO has also produced new guidance on how people can check the security settings on their Wi-Fi router and provides information on how to make the network more secure, including setting up a strong password to stop other people accessing the network and making sure the information sent over the device is encrypted.

View the YouGov survey

Credit report survey

We are working with the credit reference agencies CallcreditEquifax, and Experian to find out what people think about the quality of credit reports. We have commissioned a survey as part of this work, which has been emailed to people who have recently requested their credit report and have been asked to take part.

If you’ve been invited to take part in the survey, we want to know whether you think the information in your credit report is accurate or not and whether it is easy to understand.

The survey is confidential. The ICO will only see the information you give us on the form and we won’t see any of the information on your credit report. The survey is being hosted by HSL using Survey Monkey, who have undertaken not to disclose the information you provide to anyone other than the ICO.

Good practice research

In 2012, we commissioned SPA Future Thinking to complete a review on the satisfaction of the range of services that we provide. As with all public-sector organisations, there are limited resources available, and understanding customers' perceptions is key to managing the business operation.

The survey focused on the understanding of people's perceptions on each of our functional areas, specifically looking at whether good data protection practices were being followed, as well as how well we gave practical advice on how to improve our data protection service.

Good practice research

Enforcement research

In 2012, we commissioned SPA Future Thinking to review our customers' satisfaction with regards to enforcement. The survey focused on how good our communications were, as well as our approach.

Enforcement research

Review of Availability of Advice on Security for Small/Medium Sized Organisations

The ICO commissioned the Review of Availability of Advice on Security for Small and Medium Sized Organisations to better understand how well small and medium sized enterprises (SMEs) can access appropriate information security advice for protecting personal information. The ICO recognises that SMEs will not have the technical expertise that many larger businesses will have at their disposal. Many small businesses use personal information and we recognise that SMEs need practical and concise guidance to help them comply with the law, and handle personal information appropriately.

The ICO has already acted on a number of recommendations by updating the Guide to Data Protection which provides businesses with practical advice about the Data Protection Act. The practical business based examples in the Guide can help SMEs safeguard personal data and meet the requirements of the Data Protection Act. We are also reviewing some of our other guidance in light of the report’s findings to ensure it is appropriate for the needs of SMEs. We are particularly interested in how guidance can be accessed through third party business trade and membership bodies and we will be following that up in the coming months.

The business case for investing in proactive privacy protection

The ICO has published the report ‘The Privacy Dividend: the business case for investing in proactive privacy protection’ which it commissioned from Watson Hall Ltd and John Leach Information Security Ltd (JLIS Ltd). The aim of the report is to help organisations understand the business rationale for, and benefits to be gained from, building in better privacy protection.

The report concludes that protecting personal information makes good business sense; it brings real and significant benefits that far outweigh the effort privacy protection requires; and ignoring privacy and not protecting personal information has significant downsides. The report analyses the value of personal information from different perspectives and outlines the consequences of privacy failures. It recognises that there is no 'one size fits all' approach and provides practical tools to help organisations construct customised business cases for investing in privacy protection.

Read the full report

Review of EU Data Protection Law

The Information Commissioner’s Office (ICO) has published the review of the strengths and weaknesses of the EU Data Protection Directive which it commissioned from RAND Europe.

The ICO commissioned RAND Europe to conduct the study amid growing fears that the current European Directive was out-dated and too bureaucratic.

The RAND study concludes that, in an increasingly global, networked environment, the Directive will not suffice in the long term. The report acknowledges that the Directive has helped to harmonise data protection rules across the European Union and has provided an international reference model for good practice. However, the report also says that the Directive is often seen as burdensome and too prescriptive, and may not sufficiently address the risks to individuals’ personal information.

Read the full report
Read the report summary

Notifications payment research

It is being considered that the charging regime for data controllers notifying with the ICO will be revised. In February 2008 a research project conducted amongst data controllers was commissioned to provide information to help inform how the revised charging regime could be applied.

SMSR Ltd was commissioned to undertake the study on behalf of the ICO. SMSR Ltd is an independent market research company based in Hull which adheres to the Market Research Society’s Code of Conduct.

Notifications payment research report

Stakeholder perception study

A commitment of the stakeholder relations strategy, launched in 2007 is to track progress of our actions. As a result a survey was undertaken in March 2008 to measure perceptions of the ICO amongst key stakeholders.

The stakeholder perception study involved stakeholders which have a high interest in what we do and can have a high influence on ICO, data protection and freedom of information issues.

The research was conducted on behalf of the ICO by Jigsaw Research and Critical Research, both independent market research agencies based in London.

Stakeholder perception study: research report