A number of serious breaches of data protection law in the past few months indicates that formal education is required to ensure compliance, Data Protection Commissioner Billy Hawkes has said
Organisations need to have people who understand data protection law and can apply it effectively to avoid punitive measures, Hawkes said at the launch of the Irish Computer Society’s Data Protection Practitioner Certificate, Ireland’s first certified programme for data protection professionals.
The ICS launched the new certification in response to the need for a more detailed awareness of legislation in this area. The three-day programme aims to develop and certify individuals who understand how the country’s data protection laws work and how they meet international obligations, and who can apply the legislation across a range of professional situations.
All public and private organisations are legally obliged to protect any personal information they hold. The Data Protection Acts, 1988 and 2003 confer rights on individuals as well as placing responsibilities on those persons processing personal data. Staff experienced in data protection issues, as well as those new to the subject, need to be trained adequately so that their organisations are assured that compliance is continually addressed.
Hawkes revealed that his office received more than 900 complaints relating to data regulation breaches in 2007. Many relate to abuses of SMS marketing and a significant number of prosecutions are in motion following a series of raids on SMS providers in August. The full annual report of the Data Protection Commissioner will be published soon.
Hawkes urged organisations to consider a number of key questions in assessing whether they require formal data protection training: Does everyone handling personal data know their responsibilities under data protection law? Is this routinely included in training and induction? Are procedures for handling personal data properly documented? Are data protection compliance responsibilities clearly allocated?
“If your organisation cannot answer yes to the above questions, training is clearly required,” he said.
“Companies need to be proactive in ensuring that all staff involved in the processing, storage and management of personal information are fully aware of their responsibility to clients, suppliers and co-workers,” remarked Jim Friars, CEO of ICS. “By committing to training staff formally in data protection legislation, companies can benefit additionally from enhanced public confidence in the organisation.”
All staff involved in processing, storing and managing personal information should be appropriately educated, but training is particularly important for certain categories of worker, the ICS said. These include information security professionals, compliance and audit managers, data protection officers, legal professionals, human resource managers and healthcare professionals.
By Niall Byrne