Data watchdog admits to deluge of Central Government breach info
Many of those breaches reported to the Information Commissioner's Office (ICO) involved serious losses, including the loss of information on criminal proceedings.
Those worrying facts were outlined by David Smith, deputy information commissioner, at a Westminster eForum event on data leakage this morning.
The ICO runs a voluntary scheme, where it encourages businesses and public sector organisations to report significant information breaches. A law which could make the reporting of such breaches mandatory is currently being developed at a European level.
Referring to the loss of 25 million records from Her Majesty's Revenue & Customs last year, and the loss of the details of 600,000 people on an MoD laptop in January, Smith said: "These are not the only cases. They are part of a pattern. We have a voluntary system for data breaches. We've had 150 notifications, with some potentially very serious losses there."
Smith cautiously welcomed efforts in Brussels to develop a law to make the reporting of information breaches mandatory. "There are some benefits," he told SC Magazine. "But it has to be sensible and proportionate, so we're only told about things that matter. It has to be risk-based."
Many information professionals have been calling for the reporting of breaches to be made mandatory because of the growing number of reported cases of information leakage. As well as the infamous HMRC and MoD losses, civil servants have left secret documents on public train services twice in the last month. In the private sector, Norwich Union and Nationwide have been heavily fined by the Financial Services Authority for large losses of information.
The Information Commissioner Richard Thomas is keen that these high profile breaches remain in the public limelight to help to prevent further occurrences.
Thomas is also working on the introduction of new powers which will give his office the authority to levy fines on companies who display poor standards of information security.
Though the powers have in theory already been granted, David Smith estimated today that the ICO would have to wait about six months to levy its first fines. First, a code of practice would need to be drawn up, and the maximum penalty decided.
"We have limited powers of prosecution," said Smith. "We haven't had sanctions that we can impose on organisations that get things recklessly wrong. Now we have been given the power to impose fines. It will take six months or so to come into effect."