Statement from the Information Commissioner’s Office:
Over 800 data security breaches have been reported to the Information Commissioner’s Office (ICO) in just over two years, the privacy watchdog announces today. The ICO is warning that organisations may face tougher sanctions if they fail to report security breaches which subsequently come to light.
David Smith, Deputy Commissioner, said: “In just over two months a further 100 organisations have reported data security breaches to us. We are keen to work with organisations to prevent breaches occurring in the first place and to help put things right when things do go wrong. Talking to us may of course result in regulatory action. However, organisations must act responsibly; those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions.”
Mistakes account for 195 of the 818 data security breaches reported to the ICO since November 2007. 262 breaches are the result of theft, often where the personal information was held on an unencrypted portable device. The ICO provides free advice to organisations to help them comply with the Data Protection Act. Organisations can minimise the risks of security breaches involving personal information by ensuring that all portable media devices containing personal information are encrypted. Staff must be adequately trained and organisations should give proper consideration to restricting staff from downloading large volumes of data on to memory sticks and other portable devices. All personal information held within buildings and offices should be protected by adequate security arrangements to prevent theft or the loss of the data. The loss of personal information can cause
harm and distress for individuals, and can lead to reputational damage and loss of customer trust for organisations.
New powers, designed to deter data breaches, are expected to come into force on 6 April 2010. The Information Commissioner’s Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act. The power to impose a monetary penalty is designed to deal with the most serious personal data breaches and is part of the ICO’s overall regulatory toolkit which includes the power to serve an enforcement notice and the power to prosecute those involved in the unlawful trade in confidential personal data.
The ICO has produced a plain English Guide to Data Protection to provide businesses and organisations with practical advice about the Data Protection Act. The guide is intended to help organisations safeguard people’s personal details and comply with the law. The guide takes a straight-forward look at the principles of the Data Protection Act and uses practical, business-based examples.
A copy of the breach table is available here: http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/breach_notification_spreadsheet_jan09.pdf