Information Commissioner Christopher Graham has the power to fine firms up to £500K for data breaches

ICO launches online guide to data protection

Code of Practice highlights the importance and implications of information security

The Information Commissioner's Office (ICO) has launched an online guide aimed at helping business, charities and public bodies ensure that they manage data securely.

The Personal Information Online Code of Practice also aims to provide tips allowing consumers to make an informed choice about whether they sign up for a particular online service.

Information Commissioner Christopher Graham explained that businesses need to take data security seriously in order to avoid fines and retain the trust of customers.

"A record of our online activity can reveal our most personal interests. Mislead consumers or collect information you don't need, and you are likely to diminish customer trust and face enforcement action from the ICO," he warned.

Graham also called on individuals to be more proactive in checking privacy settings, and to be careful about the details they post online.

With this in mind, the ICO has published a guide for consumers called Protecting your personal information online (PDF), providing advice on avoiding scams, being careful about disclosing information and using privacy settings effectively.

Stewart Room, a partner in the privacy and information law group at legal firm Field Fisher Waterhouse, said that the new guidance is "very welcome" and vital to ensuring that companies understand their legal obligations with regards to data.

"The new ICO guidance sets out in plain English the key principles controllers need to be aware of. Of course, it does not seek to address all of the issues but, in combination with expert legal advice, it provides a helpful route map for compliance," he said.

"Many organisations are not taking their legal obligations for security seriously enough. It is quite dispiriting to find that many still do not see security as a board-level issue."

Room also believes that the ICO needs more direct powers to compel businesses to protect data, and make the reporting of data losses mandatory.

"In my opinion, the fear of unlimited fines would have provided better incentives. Likewise, the audit power should be extended to cover all data controllers. At the moment it covers government departments only," he said.

"Finally, we need clear, mandatory breach disclosure laws. At the moment the UK position on breach disclosure is contained in regulatory guidance, which is unsatisfactory."