Speaking at the opening keynote session for Infosecurity Europe conference, in London, 27th April 2010, David Smith, the Deputy Commissioner, ICO, announced that approximately 30 data breaches are reported to the ICO each month. “We have seen a very slight decline in data breaches recorded”, announced Smith, who revealed statistics showing that “the loss and theft of stolen data and hardware is the method behind the majority of declared breaches.
“The NHS are responsible for one third of data breaches, followed by the public sector.” What can be understood from these statistics, said Smith, “is that not all private sector organizations will declare their breaches. We’re still seeing loss of personal data on unencrypted laptops in both sectors”.
Speaking of the newly introduced ICO powers to audit organisations without their consent, and penalise organisations up to £500 000 for significant data breaches, Smith assures the audience that the ICO is “not trying to catch you out, we’re trying to help you to get it right”.
The problem
The scale of data loss has significantly evolved over the years, explained Smith, who argued that the “scale of the problem has greatly increased; We’ve gone from losing a few medical files on a few sheets of paper at a time, to losing millions of files on one disk or USB stick”.
Smith used the MoD as an example of this evolution. “The MoD used to have a culture of secrecy, which has been eroded by the Facebook generation. Today, people are willing to share more; a culture of reducing costs and sharing has emerged”.
“Data breaches are still happening, and are often due to insider wrongdoing, or theft and loss of data on portable devices”, Smith explained. “There are too many organizations ticking the boxes, without investing in real measures to keep up staff training and awareness”. Contractors and processes must be checked, Smith argued.
A lack of accountability, unfit policies and a lack of awareness and training can be blamed for many incidents of data loss in the public sector, argued Smith. “The MoD was still using unencrypted laptops when encryption was the standard. [The public sector]needs to update their way of working, as well as updating the technology.”
The solution
A clear line of accountability for the security of data needs to be established, explained Smith. “Updated policies, relevant technology and systems, and people are the core of what needs to be done”.
When a breach does occur, those affected should be notified as well as the ICO. “We don’t want to know about every breach that happens, just the large-scale breaches where there is potential harm to individuals”, Smith explained. “In most cases, we’ll record the incident but not action it.”
The Information Commissioners Office offer tools to assist public and private organisations to protect their data. These tools include:
- Privacy impact assessment
- ICO audits
- Advice and guidance
- Designing privacy into technology
- Research
Despite offering these tools, Deputiy Information Commissioner Smith insists that the ICO are not information security experts. “To be completely honest with you, we leave most of the security stuff to others; to the experts. We’ve not set ourselves up as security experts, instead we focus on the other aspects of data protection. We’d like to work with the information security industry to help develop advice and guidance.”
The future
Deputiy Information Commissioner Smith announced that there is “every prospect” that breach notification will become a legal requirement in the UK. “Within 18 months, it’s likely that ISPs and telecommunication companies have to abide by this rule, and before too long, this same law will apply more widely”, said Smith.
“We’re also arguing that custodial sentences for those who “con information out of businesses or sell private information on the black market” should become a very real fact. There will also be a review of the European DP Directive.”
Finally, Smith declares his confident that regardless of which political Party wins the National election, “this issue will not go forgotten”.