Public Sector Clueless On Secure Data Transfer

Research by enterprise software provider Software AG has revealed that 50 percent of public sector organisations are unable to provide information on secure data transfer procedures and costs.

This is down to the fact that they are failing to keep records on inter-organisational secure data transfer procedures and costs.

This information was obtained via a number of Freedom of Information (FOI) requests, which asked local authorities and central government departments across the UK about their usage of postal and courier services for such transfers, as well as staff time and handling costs, plus spending on removable media such as USB sticks, backup tapes etc.

“Not Required To Keep Records”

The research found that a total of 14 organisations out of 26 were unable to provide any information at all, with one erroneously responding “[we] are not currently required to keep records of any information/data that is transferred.”

There have been countless examples of public bodies losing sensitive information. A couple of years ago, Her Majesty’s Revenue and Customs (HMRC) lost a number of CDs containing private information on thousands of people.

But there have been many more recent examples. Last July the UK Ministry of Defence admitted it had lost an entire server from a secure building – as well as 1.7 million individuals’ personal data. In November the UK Rural Payments Agency (RPA) lost backup tapes containing the payment and banking details of 100,000 farmers in the United Kingdom.

And only last month an NHS worker in the secure mental health unit of a Scottish hospital was suspended, after he lost a USB stick containing patients’ medical records. The USB stick apprently contained unencrypted sensitive information – including the criminal histories of some violent patients at the Tryst Park unit at Bellsdyke psychiatric hospital. The stick was later found by a 12-year-old boy in the car park of an Asda supermarket.

And the NHS was recently named and shamed by the Information Commissioner’s Office (ICO), after it topped a list for the most data breaches in the UK.

Large Fines

Private sector companies meanwhile have already been warned by the ICO to tighten up their security systems. Indeed, the ICO now has the power to issue large fines for any serious data breaches, and companies that fall foul of the data breach laws, for example, now risk a maximum fine of £500,000. And if that was not enough, the ICO has recently said that it is pushing for prison sentences to be introduced for professional data thieves.

“The public should be very concerned that such limited insight into the procedures and costs surrounding the transfer of sensitive information between organisations is so widespread,” said Tim Holyoake, lead technologist at Software AG.

“It means that compliance with the ICO’s framework code of practice for sharing personal information must be doubtful in many organisations,” he added. “For example, if records of transfers are not being kept, how can these organisations ensure that the information they have transferred to others remains up to date, as the law requires?”

“The code of practice makes it crystal clear that this obligation does not end when data has been transferred. Only by ensuring that robust policies and procedures for data transfer exist and that auditable, secure electronic transfers become the norm can the financial and personal costs associated with botched data handling be eradicated,” he concluded.

The only organisation which was apparently able to supply a full answer to the questions was, unsurprisingly, the Information Commissioner’s Office (ICO).