PLC Public Sector reports:
On 28 May 2010, the Information Commissioner’s Office (ICO) published details of the 1,000 data security breaches that have now been notified to it. In this post, we look at any lessons to be learnt from this data.
A look at the figures published by the ICO reveals some interesting facts:
- The largest “offender” is the NHS on 305 breaches, closely followed by the private sector on 288, with local government in third on 132.
- The most common reasons for public sector data losses were lost or stolen data or hardware.
- In the private sector, disclosing data in error and technical/procedural failure represented a higher proportion of the breaches than in the public sector.
As with any statistics, it is important not to base too many firm conclusions on figures that may well be misleading. However, on a positive note, the figures do seem to suggest that the public sector has got to grips with the the disclosure regime and is not often deliberately disclosing data in error due to a lack of understanding of the rules or a failure in procedures.
On the downside, the public sector seems to be struggling to hold on to its data/hardware! This is supported by details of the latest data security breaches reported by the ICO, with:
- West Berkshire Council losing a USB stick containing sensitive personal information about children and young people.
- Lampeter Medical Practice sending an unencrypted memory stick with the personal information of 8,000 people in the post and it disappearing.
As we have previously warned, the ICO now has enhanced enforcement powers and it is increasingly important for all organisations, especially those in the public sector, to tighten data security practices. With hardware loss in mind, of particular importance is:
- Taking approriate physical security precautions to ensure that the hardware is not lost or stolen.
- Thinking twice before data is downloaded or stored on any device, escpecially if the device is mobile.
- Making sure all devices, especially mobile ones, are encrypted and password protected.
For those organisations that take the publication of this information as an opportunity to review their data security policies and practices, our practice note provides the information you will need to make sure that you comply with the regulatory requirements.
25% of security breaches notified to the ICO also relate to personal data disclosed in error, therefore better staff awareness of data protection issues is crucial to minimise mistakes. To help with this, the ICO launched a campaign earlier this year called “Th!nk Privacy” which includes a toolkit of material that organisations can download free and use within their organisation to promote data privacy awareness. More information about the campaign, including the toolkit can be accessed at:-
http://www.ico.gov.uk/news/current_topics/think_privacy.aspx