Last month I published an article regarding the Information Commissioner's spate of fines against local councils and government.
Titled ‘So what has the Information Commissioner got against local councils?', it asked technology vendors and an IT manager at a local council why they felt that the epidemic of data loss had entered local government.
This week I spoke with information commissioner Christopher Graham about why he felt there had been such a rise in the number of incidents. He said that one reason is that staff are dealing with personal information, and often that is sensitive; he said these staff have to be made aware that they are dealing with people and not just numbers.
“Along with the managers of the NHS and Sir Bob Kerslake [permanent secretary at the Department for Communities and Local Government], I talk to the managers and make them aware that security is very real and this is an issue that they need to wake up to, and need to be aware that the ICO has got the power to fine them up to £500,000,” he said.
“The real impact is in reputation though; if they get branded as incompetently managed, their customers will not want to deal with them. The NHS is big and its technologies are less likely to go wrong, in local government there is a way to go.”
Two years ago, it was NHS trusts that had a major problem with data loss, leading to the Information Commissioner's Office (ICO) saying it was "highly concerned" about the amount of losses and "there are far too many within the NHS".
He advised that local government needs to focus on security and realise that it is dealing with vulnerable people; in the case of the Cheshire East Council data loss, where data was forwarded to 100 people after an employee used their personal webmail rather than the council's secure system, Graham said three simple solutions would be: training; understanding of what staff are dealing with; and awareness of the sensitivity of it.
Finally I asked Graham about the process of calculating fines which, since their introduction two years ago, have now seen more than £1m collected by the ICO from 14 enforcement actions.
He said: “When assessing a breach we have to take into consideration how serious it is or whether this was a result of negligence, and we take into account mitigation factors; if we are dealing with an organisation with no policy in place, then they are in a worse state if a mistake has been made, so it is not so black and white.”
It may be hard to realise this from the headlines you read and I write, but the ICO is about more than data loss enforcement; its supervision of the Data Protection Act has now led to this being taken very seriously by business and is why fines for breaches make headlines.
The fact that ‘sectors' are affected at the same time is more unfortunate coincidence than there being some kind of vendetta, but as Graham said, with some simple steps any business can resolve challenging issues.