Personal Information Promise

What is the Personal Information Promise and why make one?

The ICO urges heads of organisations and government departments to sign up to the Personal Information Promise, to demonstrate their organisation’s senior level commitment to data protection. The aims of the initiative are to improve compliance with the Act and strengthen public trust and confidence in those who are entrusted with their personal information.

The promise lists a number of key commitments that senior figures will make on behalf of their organisations to protect personal information.

Download LetRef's Promise (pdf)

What is the aim of the Promise?

The Promise is intended to help strengthen public trust and confidence in the way organisations handle their personal information. It is a clear statement from the very top of an organisation that it values the personal information entrusted to it and will put the appropriate resources in place to look after it. It also sends a clear signal to the workers in the organisation about the importance of looking after people’s personal information and that this is something taken very seriously at senior level.

Does it create additional legal obligations?

No, the Promise does not create additional legal obligations. The Promise reflects existing legal obligations in the Data Protection Act and puts them into straightforward language that individuals can readily understand. What it does do is to show a public commitment by the organisation to comply and put in place the measures that help ensure that it complies.

It is like a mission statement for the handling of personal information.

How will the ICO use it?

The ICO do not intend to use this as an additional regulatory tool – we will continue to use the Data Protection Act and associated legislation for our enforcement role.

The Promise is made as a general statement aimed at those whose personal information is held and not to the ICO. We will keep a list of those who say they are signing the Promise and put this on our website. If a compliance problem occurs it is up to organisations to reflect on whether they are living up to the Promise.

We recognise that even with the best of intentions a problem can occur or there may be legitimately held views which differ from our own. It’s the commitment to try to live up to the Promise that counts.

What is meant by ‘going further than the letter of the law’?

Many organisations already go further than the letter of the law. For example, they employ data protection officers and follow good practice standards set out in codes of practice, such as the ones issued by the ICO. This is not a commitment to do whatever a customer asks the organisation to do. Organisations can still make their own decisions.

It is about not doing the absolute bare minimum and just trusting to luck that the law is being complied with and the personal information in its care is protected.

How far do we need to go to address privacy risks first?

This is a commitment to think about the privacy and compliance implications before embarking on a new use of information or developing a new system.

At its simplest this may mean asking the data protection officer for an opinion or with something that might engage real privacy concerns considering whether a privacy impact assessment is necessary.

What does the reference to 'treating as a disciplinary matter' mean?

This means that there is a disciplinary sanction that can be used if there is deliberate misuse of information by staff or important safeguards are not followed.

The sanction will depend upon the nature of the contravention. A very minor one off matter may just result in a verbal warning. A much more serious one such as selling personal information to third parties for personal gain may warrant dismissal.

This does not compel an organisation to take disciplinary action on every occasion however minor but to ensure that staff understand that deliberate misuse or reckless use of personal information may result in disciplinary action being taken.

What checks do we need to do, and how do we report on how we are doing?

Most organisations have mechanisms in place to ensure they are complying with their legal obligations. This is usually done by internal checks or part of external audit procedures.

The important thing is that an organisation does not leave matters to chance and has a way of checking how well it looks after personal information. The report on progress does not need to be published separately; it can just be a short reference as part of an organisation’s annual reporting process.

Is the Promise the same as an Information Charter?

No, the two are complementary and not exclusive. The Information Charters being published by some public bodies are aimed at setting out the general standards that people can expect, whereas the Promise provides a signal from the very top of an organisation that protecting personal information is a key organisational aim. The Promise is intended to send a powerful message to the organisation's staff and the public that appropriate resources have been allocated to protect personal information.

While there are overlaps between the Personal Information Promise and the Information Charter, there is no contradiction between the two. We see the Charter and the Promise sitting side by side where a Charter has been adopted.

© Letref Ltd. All rights reserved.