The Information Commissioner’s Office (ICO) has been coming down hard on institutions that are responsible for data breaches, after a Berkshire council lost a memory stick containing personal information about children, and a surgery in Wales lost a USB containing details of 8,000 patients in the same week.
On 2 June it was reported that West Berkshire Council had lost a USB stick containing information about the ethnicity and physical or mental health of local children. The device was not encrypted or password protected.
This is the second data security incident reported by the council in six months. Following further investigation, it emerged that the council had introduced encrypted USB drives in 2006, but some employees were still using unsecured devices.
“A new compulsory campaign of security training is already taking place and an audit is underway to ensure that no further unencrypted memory sticks are in use,” a council spokesman told the BBC.
The memory stick was posted by recorded delivery to the Health Boards’ business service centre, but failed to arrive.
The ICO has ruled that both incidents breached the Data Protection Act. However, neither organisation appears to have been fined, despite warnings earlier this year that companies that fall foul of data breach laws risk a maximum fine of £500,000. The ICO has also been pushing for prison sentences to be introduced for professional data thieves.
“It is imperative that staff are made fully aware of an organisation’s policy for securing personal data and any portable device containing personal information should always be encrypted to prevent it being accessed in the event of loss or theft,” said ICO enforcement group manager Sally-Anne Poole.
Earlier this week, the ICO published a list of all the data breaches reported since 2007. Of the 1,007 reported breaches, the NHS was responsible for 305.
According to the report, just under half of the NHS data breaches were caused by stolen data and hardware. A further 87 breaches were caused by lost data and hardware, 43 were due to data being disclosed in error, 7 came from information that was lost in transit, and 17 from technical or procedural failure.
“We all know that mistakes can happen but, the fact is that human error is behind a high proportion of security breaches that have been reported to us,” said David Smith, Deputy Commissioner of the ICO. “Extra vigilance is required so that people’s personal information does not end up in the wrong hands.”
At the Infosecurity Europe 2010 show in London, a survey by SaaS email security provider Proofpoint also found that 93 percent of respondents were concerned about the potential for private or personal information to be leaked via email.
This is despite the fact that nearly two thirds of those surveyed said that their company had implemented data protection regulations, and around half had already deployed some kind of email encryption system.
“Enterprises have a pressing need to adhere to regulations that require special handling of sensitive information in emails, and require automatic methods for ensuring compliance,” said Ken Yearwood, director NEMEA at Proofpoint. “It is gratifying to see that passwords are now commonplace and that businesses are embracing security mechanisms such as full disk encryption to ensure that the company is not at risk in the event that a laptop is lost or stolen.”
Staff at Google question CEO Sundar Pichai over 'significant decline' in workforce morale amid ongoing…
Google's search domination to be challenged next week, with OpenAI reportedly set to announce its…
America reportedly set to announce next week import tariffs on strategic Chinese sectors, including electric…
AI-generated content such as video and images are going to be labelled by TikTok using…
Neuralink brain implant embedded in 29-year-old patient named Noland Arbaugh develops a fault, but is…
US agency seeks data from Tesla on Autopilot recall, amid reports US prosecutors are probing…
View Comments
I've just been with a client and the very question of "Where are all the ICO fines?" came up so a quick google threw this story up. My answer is simple: Until Breach Notification becomes mandatory only public sector will disclose breach to the ICO. Furthermore, how do data controllers know they've suffered breach??? Some of the controls over areas such as asset retirement are so poor that they wouldn't actually know when they have lost control of their data.
Sadly the reality of the ICO fine is that it was a headline grabbing change with little real teeth. The ICO needs to go out and test / audit clients ability to control their data. Until that point happens the status quo will continue.