The ICO urges heads of organisations and government departments to sign up to the Personal Information Promise, to demonstrate their organisation’s senior level commitment to data protection. The aims of the initiative are to improve compliance with the Act and strengthen public trust and confidence in those who are entrusted with their personal information.
The promise lists a number of key commitments that senior figures will make on behalf of their organisations to protect personal information.
It is like a mission statement for the handling of personal information.
The ICO do not intend to use this as an additional regulatory tool – we will continue to use the Data Protection Act and associated legislation for our enforcement role.
The Promise is made as a general statement aimed at those whose personal information is held and not to the ICO. We will keep a list of those who say they are signing the Promise and put this on our website. If a compliance problem occurs it is up to organisations to reflect on whether they are living up to the Promise.
We recognise that even with the best of intentions a problem can occur or there may be legitimately held views which differ from our own. It’s the commitment to try to live up to the Promise that counts.
Many organisations already go further than the letter of the law. For example, they employ data protection officers and follow good practice standards set out in codes of practice, such as the ones issued by the ICO. This is not a commitment to do whatever a customer asks the organisation to do. Organisations can still make their own decisions.
It is about not doing the absolute bare minimum and just trusting to luck that the law is being complied with and the personal information in its care is protected.
This is a commitment to think about the privacy and compliance implications before embarking on a new use of information or developing a new system.
At its simplest this may mean asking the data protection officer for an opinion or with something that might engage real privacy concerns considering whether a privacy impact assessment is necessary.
This means that there is a disciplinary sanction that can be used if there is deliberate misuse of information by staff or important safeguards are not followed.
The sanction will depend upon the nature of the contravention. A very minor one off matter may just result in a verbal warning. A much more serious one such as selling personal information to third parties for personal gain may warrant dismissal.
This does not compel an organisation to take disciplinary action on every occasion however minor but to ensure that staff understand that deliberate misuse or reckless use of personal information may result in disciplinary action being taken.
Most organisations have mechanisms in place to ensure they are complying with their legal obligations. This is usually done by internal checks or part of external audit procedures.
The important thing is that an organisation does not leave matters to chance and has a way of checking how well it looks after personal information. The report on progress does not need to be published separately; it can just be a short reference as part of an organisation’s annual reporting process.
No, the two are complementary and not exclusive. The Information Charters being published by some public bodies are aimed at setting out the general standards that people can expect, whereas the Promise provides a signal from the very top of an organisation that protecting personal information is a key organisational aim. The Promise is intended to send a powerful message to the organisation's staff and the public that appropriate resources have been allocated to protect personal information.
While there are overlaps between the Personal Information Promise and the Information Charter, there is no contradiction between the two. We see the Charter and the Promise sitting side by side where a Charter has been adopted.