A disconnect between IT and the board is a problem and the two have to be brought together for the benefit of better data security.
Mick Gorrill, former head of enforcement at the Information Commissioner's Office (ICO) and now consultant within the security and information law group at Field Fisher Waterhouse, said that while security is considered by the board, data security often is not and the two have to be put together to have a good chance of getting it right.
He said: “You should have someone nominated for data security, as if you have accountability you will take notice of what the ICO is saying and put policy and procedure into place. If you get new staff training you get the best way of getting it into someone's head on what they should and should not be doing. It is about taking data security seriously.”
Gorrill also claimed that companies still get data security 'spectacularly wrong', particularly when there is a cavalier approach.
He said: “What causes a fine is if harm or distress is caused to a subject and also if policy and procedures are lax or if little accountability is given that mean that security breaches are more likely. Since 2007 and HMRC it is taken more seriously, while on Hertfordshire County Council they admitted that the same thing could happen again and then it did. There was no risk assessment.
“If senior management are not engaged in data protection then there is not much chance of it working, also if there is no staff training going on. An important assessment for privacy is vital and that is what the ICO will look at and if they come to the conclusion that an organisation has done what they could, then the ICO will look on very favourably.”