- Mobile
iOS App- Newsletters
- Subscribe
- Stakeholders
- Follow:
GOVERNMENT ZONE
- Central government
- Devolved government
- Education
- Health and social care
- Home affairs
- Local government
- Transport
AREA OF INTEREST
- Built environment
- Culture, heritage and museums
- e-government
- Energy
- Finance and pensions
- Innovation, science and technology
- International
- Management and HR
- PFI and partnerships
- Procurement
- Property
- Scotland
- Sustainable futures
- Waste
SISTER SITES
Email
Print
Data breaches and the ICO – the never ending cycle
13 April 2012
The frequency of data breaches and relatively small fines could end up with data loss being seen as a necessary evil, warns one IT security specialist
Since the start of 2012, we have seen a resurgence of fines from the Information Commissioner's Office (ICO), with Cheshire East Council, Croydon Council and Norfolk County Council all facing fines following serious data breaches.
For Croydon Council, a bag containing information relating to the care of a child sex abuse victim was stolen from a London pub, resulting in a £100,000 fine. Norfolk County Council has been served with an £80,000 fine for providing information regarding allegations against a parent and the welfare of their child to the wrong recipient. And Cheshire East Council was ordered to pay £80,000 for failing to take appropriate measures to ensure the privacy of emails regarding police suspicions over a volunteer.
None of these are acceptable, and the ICO has fallen below par in its reaction on every case.
Society – government included – needs to take a step back to really appreciate what is actually being compromised by such damaging breaches. In recent cases, child sex abuse victims have been exposed, child welfare information has been revealed and police emails have been leaked into the public domain. These are all extremely vulnerable individuals and the fact that simple rules to safeguard sensitive details relating to their identities and circumstances have seemingly been ignored or easily broken is unforgiveable.
The fact that preventable mistakes continue to happen, year on year, clearly demonstrates that something needs to change. Whether it is better technology and safeguards being put in place, new regulations, an increase in punishments, or a combination of all of the above – a change in attitude towards sensitive data needs to take place. After all, what may be a routine case to a council employee will often relate to the most private, most sensitive information about the victim.
The problem is compounded by the sizes of the fines issued. They may initially appear to be big but, in the grand scheme of things, they are not – and the fact that council after council will simply pay and carry on, without any change to their processes or policies, does little to prevent further instances of data loss.
Worse still, the frequency of these data breaches undermines their severity to the outside world. As more and more data breaches make the news, and the ICO continues to hand out fine after fine, stories will stop making headlines, and data loss could end up being perceived almost as a necessary evil, in the challenging climate of cutting costs and expanding workloads. We simply cannot let it get to this stage.
The kinds of mistakes that lead to these instances of data loss are completely preventable. The manifesto for change can be simple:
1.The ICO must raise its game. Start handing out big ticket fines. Losing a citizen's confidential data is unacceptable as they will have little recourse for redress. Losing a child's data is a disgrace for the same reason, but amplified.
2. Deploy the technology. Encryption isn't cutting edge anymore – it's a commodity.
3. Stop organisations being able to simply accept fines, look shame faced for five minutes and get on with things. Give the ICO a 20-fold increase in fining powers, some nice shiny powers compelling people to remediate against mistakes, and a legal requirement for public bodies to publish their infosecurity status in annual reports
4. Offer training to people that handle data, and make them totally aware of the implications of lax care.
The past year of data breaches has proven that, not only individuals, but the organisations they represent and the bodies that claim to be protecting against such breaches, need to make changes. Without radical moves such as those above, the never ending cycle of: breach, fine, payment, will continue. Without change, it is the very people we should be protecting that are being put in the firing line, time and time again.
Graeme Stewart is public sector business development director at Sophos
COMMENTS
I have recently been the victim of a breach of data protection by cumbria couonty council. They have totally ignored my correspondence/phone calls on the issue and the ICO have stated they only "advise and make recommendations" to organisations. No wonder the problems are escalating!
Maureen Hogg - Seascale, Cumbria
RELATED FEATURES »
- The new NHS: Only the fittest will survive and flourish
- Another day, another data breach: how to make sure you aren't next
- On Her Majesty's not-so-secret service: The 'plausible' plot of Skyfall
- Government faces growing data storage demands
- 'NHS must tell patients about data and privacy breaches'
- 'NHS and councils need help as they fall behind on data protection'
SUGGESTED NEWS »
- New NHS won't escape fines for old data breaches
- Private investigators could face £500,000 fines for accessing data illegally
- Patients can stop their data being shared, says Jeremy Hunt
- Patients targeted after GP email account was hacked
- Caldicott 2 – NHS reported 186 serious data breaches in a year
- Police forces face investigation after sending personal data to G4S