Information Commissioner Richard Thomas has expressed concern about continued data breaches from the public sector – almost a year after HM Revenue and Customs lost the data of 25 million child benefit claimants in the post.
In a speech to a European conference on data security, Thomas says “2008 has undoubtedly been a year of data breaches and data losses.” He then goes on to reveal new figures, showing that the number of data breaches reported to his office since last November has “soared” to 277.
Seventy five of these relate to the NHS and other health bodies. Central government has reported 28 breaches and the private sector 80. The Information Commissioner’s office is investigating 30 of the “most serious” lapses.
In his speech to the RSA Conference, Mr Thomas says the number of reported breaches is “serious and worrying.” But he also recognises that “the number notified to us must be well short of the total” since many PCs and laptops will be junked with live data on them, and USB sticks and other devices lost without anyone being notified.
“Holding huge collections of data brings significant risks,” he says. “It is therefore alarming that – despite high profile data losses, the threat of enforcement action, a plethora of reports on data handling and clear guidance – the flow of data breaches and slopping information handling continues.
“Everyone must recognise that data breaches can cause harm, distress and hassle for the individuals affected, lead to serious financial losses and seriously affect the reputation of organisations. This is a central challenge for those who lead private and public organisations; they must earn and retain our trust.”
Thomas says organisations should minimise the amount of data they collect, and keep it for no longer than necessary. He also urges managers to think clearly about getting the right policies and procedures in place, and to build privacy into the design of new IT systems. Finally, he says there also needs to be a focus on people’s attitudes and behaviour.
“Those at the top, chief executives, permanent secretaries and so on, must be certain that the right framework is in place to address the risks of personal information and must be certain that responsibilities are clear,” he says.
The government has promised that the Information Commissioner’s office will get new powers to impose “substantial penalties” for “deliberate or reckless” breaches of data protection laws. Thomas wants these “as soon as possible”, arguing they will “concentrate minds and act as a real deterrent.”
The figures for data breaches reported to the Information Commissioner’s office from the NHS and healthcare over the past year show that one breach related to an email error, two to postal errors, 27 to lost computers, five to “inappropriate disclosure”, one to website security, 14 to lost paper records, 18 to lost computer disks and similar media, and seven to “other” incidents.
NHS chief executive David Nicholson recently issued a letter to chief executives and chief information officers reminding them of Department of Health guidance on data in transit and encryption, and urging them to check it was being followed.