But despite this huge error, losses of data still occur HM Prisons has lost data on staff and prisoners in two separate incidents over the summer of 2008.

In an age where face-to-face transactions are no longer the norm and paper records are increasingly obsolete, maintaining confidence in the way personal information is handled is essential best practice in business.

Organisations must not take good security for granted - the stakes are simply too high for getting it wrong. Her Majesty's Revenue & Customs (HMRC) found this out to its cost. Within hours of the announcement that that it had lost the discs, the chairman resigned, questions were asked in parliament and the Information Commissioners Office commenced formal investigations under the Data Protection Act 1998.

Here we explore the importance of managing personal information properly, outlining an organisation's legal responsibilities to protect personal information, the consequences of failing to do so and practical steps that can avoid some of the most damaging pitfalls.

Protect personal information
The problems suffered by HMRC highlight the risks of failing to protect personal information properly. Sadly, the case is not unique. Earlier this year, the Nationwide Building Society was fined a record £1m when a laptop containing 11m customer records was stolen from an employee's car and a further 11 banks and building societies were named and shamed for the reckless way in which they discarded customer records on the High Street.

These incidents damage customer confidence, erode reputations and ultimately lose businesses money. High-profile security blunders in the US and continental Europe have seen companies lose millions of dollars off stock market values and massive payouts to blighted consumers and vexed regulators.

Complying with the DPA
Protecting personal information is not just sound commercial practice, it is a legal requirement. Any organisation responsible for the collection and use of personal information must comply with the Data Protection Act (DPA).

The DPA requires organisations to keep personal information secure against unauthorised or unlawful use and to manage personal information in a 'fair and lawful' manner. This means:
• holding personal information on secure IT systems;
• ensuring personnel remain aware of the importance of keeping data secure and confidential;
• notifying the Information Commissioner's Office (ICO) and the individual staff, customers, etc, whose personal information are held about how their personal details are collected and used;
• ensuring personal information are only used for 'fair' purposes - for example, to fulfil a legitimate business need or a statutory duty, or where the individual has given their express consent;
• keeping records up-to-date and cleansed from systems when no longer required;
• allowing individuals the right to obtain a copy of their records on demand; and
• taking extra care when transferring data to third parties outside the UK.

DPA enforcement
The ICO regulates compliance with the DPA. He investigates alleged breaches of the legislation and wields significant power to carry out investigations and take enforcement.

The ICO has a deliberate policy of raising awareness of data protection through publicising poor working practices. Organisations under investigation are likely to be exposed to adverse publicity and, if systemic failures are identified, fines.

If individual members of staff make unauthorised disclosures of personal information, they face the additional prospect of a custodial sentence.

Ensure compliance
Establishing a clear regime of information governance will ensure compliance with the rules and limit the risk of problems occurring. As a basic checkpoint, make sure the following are in place:
1. There is a clear understanding of the personal information collected and used within the organisation.
2. The use of personal information remains consistent with the expectation of the individuals concerned.
3. Records are regularly updated and (when obsolete) deleted.
4. Policies, procedures and IT systems are designed to maintain the integrity of data, prevent unauthorised access and effectively identify and manage breaches.
5. Regular data protection compliance audits are carried out.
6. A senior officer (directly accountable to board level) exists with overall responsibility for management of data protection and security compliance.
7. Specific approval should be required before personal information can be passed outside the business, overseas or used for any 'new' purposes.

If things go wrong
If an information security breach occurs, avoid the temptation to keep quiet and hope the problem passes by unnoticed. This is usually a recipe for more trouble. Rather, take immediate steps to protect the individuals concerned;
• notify the ICO
• communicate what has happened to the individuals affected
• explain any risks they may be exposed to and steps they can take to preserve their privacy
• start an investigation to understand the cause of the problem and implement appropriate remedial action to prevent any recurrence.

For the future
The ICO has just been given the power to audit and inspect those government organisations that hold and process personal information without first having to gain permission. Similar powers are being sought for businesses.

Further, s55 of the DPA relates to the illegal buying and selling of personal information. Presently it carries a criminal penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court.

But going through parliament as part of Criminal Justice and Immigration Bill is a proposal to add a two year prison sentence. Also, the ICO wants reckless breaches of the act to become a criminal offence.

Only s55 breaches and breaches of an enforcement notices are criminal offences under the present law.

Conclusions
People expect their personal information to be properly protected at all times. Organisations which fail to put in place appropriate measures to keep information secure risk alienating their customers, upsetting regulators and undermining their commercial viability.

These risks are real and substantive. If not already in place, commit now the appropriate resource and attention needed to ensure effective information governance for the future.