Infosecurity Europe: deputy Information Commissioner refutes freedom of information findings, as ICO prepares first mandatory disclosure laws

News by Dan Raywood

The deputy Information Commissioner has disputed claims made by a security vendor over how many data breaches are resulting in penalties.

The deputy Information Commissioner has disputed claims made by a security vendor over how many data breaches are resulting in penalties.

A freedom of information request by ViaSat claimed that of 2,565 reported data breaches, only 36 had been acted on to date and only four of those had resulted in penalties, equating to fewer than one in 500, or less than one per cent of all reported data breaches.

However the deputy Information Commissioner David Smith refuted these figures, saying that they are in relation to when systems were set up in November 2007. He said: “We are happy with the enforcement actions but we are not happy with (these findings). It is quite inaccurate and this is not the number reported.

“Many people are taking measures to comply with the law and all we see is the public face and there is a high amount going on.”

Speaking in a keynote presentation at the Infosecurity Europe exhibition in London, Smith said that since November 2007, 1,500 voluntary breaches had been reported and custodial sentences had been called for but the government was not in favour of this, but was considering the appropriation of criminal records for data loss.

He said: “A lot of this is basic stuff, there is a technical side of security that is important and while there is hacking, there is still a big message on the basics and making sure organisations are getting the basics right.”

He also confirmed that 20 cases are currently under investigation and while it was not clear whether they would lead to monetary penalties or not, voluntary disclosure had led to 600 notifications in the last year.

The future will see compulsory breach notification for service providers as a legal requirement. He said: “This is the first time we are seeing compulsory breach notification in the UK and we will have extended penalties and powers and when appropriate, a monetary penalty will apply.

“We are very keen on accountability for security. This is not a blame model for individuals, it is about systems that stop loss happening in the first place. You cannot outsource responsibility, you can only outsource actions and you need to respect people's rights.”

The Information Commissioner's Office (ICO) has also announced two breaches of the Data Protection Act today. NHS Birmingham East and North breached the act after discovering that electronic files, stored on a shared network, were potentially accessible to their own employees and the employees of two other local trusts.

The files contained information relating to thousands of individuals, including members of staff and although health records were not compromised as part of the breach, the files contained some high level information relating to patients. The ICO's investigation found that, while most of the files were not easily accessible and some security restrictions were in place, file security in general was inadequate.

Also, Norwich City College breached the act by dumping sensitive personal information relating to around 80 students in a campus skip. The college reported the incident to the ICO in February 2011 and the files, some of which included sensitive medical details, were found in unsecured bin bags ready for disposal.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews