According to the analysis, the report's findings - from both the DPA and Freedom of Information Act perspective - are extremely positive and despite organizations trading and operating in times of austerity. There, says the ICO, still great value placed upon both Acts, and the majority agreed that the Acts are beneficial and very much needed.
The 2011 Annual Track ICO report says that awareness of key DPA obligations have increased significantly, with awareness to keep personal information secure increasing by 18%. Awareness of all DPA obligations, meanwhile, has increased and now almost mirrors the highs of 2007. Encouragingly, says the ICO, this has been driven by the private sector, where historically awareness has been low.
The ICO says it has identified the same three key indicator obligations that organizations have to comply with when processing personal information as last year and awareness of all three obligations has increased since 2010. Awareness of these obligations has now risen to the levels that were achieved in 2007.
Almost three quarters (72%) of all organizations spontaneously mentioned their obligation to keep personal information secure; a significant increase of 18% from last year. Awareness around processing personal information for limited purposes and not keeping for is longer than necessary have increased by 5% and 8% respectively.
This heightened awareness of the obligation to keep personal information secure has been driven by the private sector as 75% (52% in 2010) of large companies and 73% (46% in 2010) of small companies all mentioned this responsibility.
The increased awareness of the obligations to process information for limited purposes and to keep for no longer than is necessary is mainly driven by a significant increase within private sector organizations (both large and small).
Commenting on the report and its findings, data governance specialist Varonis says that, whilst businesses are waking up to their data protection responsibilities, they still need to be aware of the dangers that their data – and in particular, unstructured data – now pose their organizations.
David Gibson, director of technical services with Varonis, says that the research shows that, while three quarters of businesses know that the DPA requires them to keep their data secure, less than half believe that organizations process their data in a fair and proper manner.
“This tells us that there is a significant gulf between what firms say they believe, and the reality. The reality, of course, is that few businesses have the access control processes or audit capabilities to prove that they are in complete control of their data, and are therefore risking a breach of the DPA”, he said.
“The problem facing IT professionals is a potentially major one, as research has shown that 80 per cent of data in major organizations is unstructured, making the task of knowing who is doing what, when and where with that data all the more difficult”, he added.
And perhaps more importantly from the ICO’s perspective, Gibson went on to say, proving that you know what is happening to your company's unstructured data is also a lot more difficult—if there are few preventive or detective controls in place there is very little evidence to present.
As an example, he claims, evidence that a file share is controlled might include a record of the last time access was reviewed on that share, who reviewed it, what decisions they made, and who has accessed which files in the share since the review. Very few organizations have these controls in place today.
Gibson went on to say that, while he welcomes the media exposure that the ICO’s latest research into data protection creates, we think it still raises more questions than it answers. “People should also note that the ICO also has a vested interest in all of this, as it is still the gatekeeper for everyone's data”, he explained.
“Companies and their IT staff need to wake up and smell the coffee. All data now has a value to someone, and some data has a much higher value than the rest. The real question for most organizations is what systems they have in place to audit their data accesses - and how these systems will be assessed and interpreted by the ICO in the event that a data breach does occur, he said.”