The spate of incidents over the past year, in which individuals’ personal details were lost or stolen, has dented public – and business – confidence in the ability of IT professionals to protect data.

But, given the way in which most of that data has been exposed, there is a lot they can do in terms of the application of technologies and processes to close down those holes.

Seamus Reilly, Ernst & Young’s director of Technology and Security Risk Services (TSRS) in Northern Europe, the Middle East, India and Africa, says that businesses – and government – need to establish a clear definition of what constitutes private data.

“It does not only relate to your customers, it relates to your employees. One of the areas we work a lot with people on is looking after and managing their privacy responsibilities to their own employees.”

With most organisations working with outsourcing partners – many either outside the UK or with offices outside the UK – there is a clear requirement to extend the privacy considerations beyond their own walls. “Outsourcing inspections might be necessary if you think data is being moved across borders,” says Reilly.

“If you go to different jurisdictions you get different definitions – some talking about privacy, some talking about personal data.”

In general terms, privacy is about an individual’s ability to control their personal information – how it can be collected, used and disclosed.

But not all personal data is equal. Several jurisdictions make a distinction between personal data and ‘sensitive’ personal data. In the US, that extends to items like credit card numbers and social security numbers; in Europe, that sensitivity applies to religious and sexual orientation.

“So, with definitions, you really need to understand what is the key personal information that your organisation is going to look after,” says Reilly. Failure to do so is becoming more painful – and not just for the individual whose data is exposed.

The UK Information Commissioner’s Office (ICO) may only be able to impose a maximum fine of £5,000 for a breach, but it has other options to enforce privacy. It has moved to a policy of ‘naming and shaming’ companies who fail to protect privacy, by issuing enforcement notices. A recent one highlighted a company that lost 26,000 records; another exposed details of a firm that had been passing incorrect personal credit details to a credit-checking agency. The ICO is also working much more closely with the Financial Service Authority, where the fines can extend to millions of pounds.

Concern about such issues was underscored by E&Y’s 2007 Global Information Security Survey. For 62% of the security executives questioned, negative publicity, reputational damage and privacy and data protection were in the top three drivers of their information security practices.

And from an individual’s point of view, that demonstration of a little healthy paranoia can only be a good thing.