ICO reports that the NHS has disclosed 305 security losses, as the amount of breaches tops 1,000

News by Dan Raywood

The Information Commissioner's Office has warned organisations that they need to minimise the risk of mistakes, as the amount of losses reported tops 1,000.

The Information Commissioner's Office has warned organisations that they need to minimise the risk of mistakes, as the amount of losses reported tops 1,000.

The ICO claimed that staff need simple procedures on how to handle personal information with appropriate training to ensure the importance of securing it is fully understood. It also said that it is essential that the protection of people's personal information is part of organisations' culture and DNA.

An ICO report revealed that 254 breaches were as a result of information being disclosed in error, 307 were as a result of stolen data or hardware and 233 due to lost data or hardware.

A further 83 were due to a technical or procedural failure and 59 were lost in transit. A breakdown of companies revealed 305 incidents were recorded by the NHS, 288 in the private sector and 132 by local government. Only 81 incidents were the result of central government.

David Smith, deputy commissioner at the ICO, said: “We all know that mistakes can happen but, the fact is that human error is behind a high proportion of security breaches that have been reported to us. Extra vigilance is required so that people's personal information does not end up in the wrong hands.

“Organisations should have clear security and disclosure procedures that staff can understand, properly implement these and ensure that they are being followed by staff. Staff must be adequately trained not just in the value of personal information, but in how to protect it.

“We are keen to work with organisations to prevent breaches happening in the first place and to help ensure that things are put right when they do go wrong.”

The announcement comes after the private financial details of up to 50,000 people were mistakenly sent out in the post by HM Revenue & Customs (HMRC). BBC News reported that claimants were sent their annual tax credit award notice, along with personal details of other claimants, with one recipient receiving the bank sort code and the last four digits of the bank account number of another claimant.

The HMRC said it would be apologising to all the people affected. A spokesperson said: “Unfortunately an error has occurred in one of the tax credits print runs causing some customer information to be wrongly formatted.

“Investigations are underway to identify the cause of the problem and we will be contacting affected customers in writing this week, apologising and providing a corrected award notice. An initial analysis shows that ID theft could not result from this printing error.”

Chris McIntosh, CEO of the Stonewood Group, said: “At the moment, organisations can say that they are putting into effect firm policies to protect data. However, this report shows that unless they actually match this with positive action they will be doing nothing more than shifting the burden of responsibility onto employees, rather than providing any actual progress.

“It is not enough for governments and other bodies to just insist, for example, that data is not stored on an unencrypted device. It will be interesting to see what reaction there is to this report. It may help serve as an example and spur organisations that have been dragging their heels to finally implement watertight encryption and data protection policies and technology, protecting themselves without simply passing the buck onto their workers.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews