Information is created and disseminated by individuals, not their managers or directors. If the misuse of personal information is to be stopped we need to address the lack of knowledge and concern at the lowest levels in organisations. I have often experienced this.

What you are suggesting here is tantamount to the finance functions ignoring financial training and allowing staff do what they wish with their companies financial assets; and then blaming / jailing their FD for the fraud that ensues.

Sanctions against directors will help with only the grossest corporate breaches of the DPA. For real and lasting change basic end user training and consequences for individual breaches is what is really needed.

When I was part of the UK Data Protection Forum, during the early days of the UK’s 1984 DP Act, I felt, and stated vociforously, that trading in personal data should be a criminal offence. If that was not to be the case, I compaigned for an opt-in data collection process because that would mean only a 2% collection rate, rather than the 98% that does happen. The miniscule ‘opt-out’ box and its associated barely-readable (especially for those with poor eye-sight) text do not lead to fair collection in my view.

I certainly hope your influence can have the results we would like to see. It would be wonderful if the sphincters of the leaders of British industry were tightened by the threat of stricter application of our DP legislation.