InfoSec Say NHS Worst Culprit For Data Breaches

The NHS has reported the highest number of serious data breaches of any organistion since November 2007, according to disclosures revealed by the Information Commissioner's Office.

David Smith, deputy commissioner at the ICO, today told the Infosecurity Europe conference in London that the NHS - which is in the midst of rolling out digital patient records across the country - voluntarily reported 287 data breaches over the past few years. This constituted just over 30 per cent of the total number of breaches, 962, reported in the period.

The majority of NHS data breaches were a result of stolen data or hardware (113), followed by lost data or hardware (82).

The private sector was second behind the NHS, with 271 reported breaches, followed by local government. However, Smith said: "In the NHS there is a management structure to report this [data breaches], and we're aware not all private sector organisations report."

Organisations can currently report serious breaches to the ICO via its voluntary data breach notification scheme, which Smith said is "moving towards" a compulsory scheme for all organisations.

"It [the voluntary data breach reporting scheme] is working, but it's clear we're not getting everything as we would under a mandatory scheme," said Smith.

To highlight the seriousness of data breaches, Smith outlined cases such as HMRC's loss of 7.5 million child benefit records, the Ministry of Defence's loss of an unencrypted laptop with recruitment data, and PA Consulting, an outsourcer for the Home Office, which lost sensitive prisoner data. However, he emphasised that the problems were by no means confined to the public sector.

Smith said that 70 per cent of breaches are a result of insider wrongdoing, and the theft and loss of portable devices remains "significant". The frequent factors in these cases are a lack of communication and training.

"We do find increasingly organisations do the data protection and security training, but there's no real measures in place to keep up awareness and to change the mindset of staff," said Smith.

He also said that there was a lack of accountability higher up in organisations when it came to data breaches. For example, it was not possible to trace back to the board who was responsible for the HMRC blunder, and eventually it was the chief executive who was forced to resign. "Data protection should be a board-level responsibility," Smith insisted.

Since 6 April 2010, the ICO has had the power to impose fines of up to £500,000 for serious data protection breaches. It had asked for maximum penalties of two years in jail, but this power was not granted.

"We are waiting with bated breath for the first case and for the first fine to be imposed," said Smith. He said that the fine will "concentrate" organisations' minds on "getting it right", adding that while the fine is not a significant sum for large multi-national firms, the publicity and effect on reputation will be a serious enough deterrent.

But he added: "It's not about collecting in money, it's about driving good behaviour. I think it will make organisations take it more seriously, but there will still be a rogue element of organisations which will take a risk come what may."

Although the ICO has this new power to impose a financial penalty, it is still campaigning for prison sentences for what it called 'blagging' offences, and is waiting for the incoming government to report back on consultations on the matter that ended in January.

"Those who con information out of you, those who sell information on the black market - we argue that they should have a prison sentence."

"All the [major political] parties mention information rights, and it will be an issue. So whatever the colour the government, this issue will feature in the future," said Smith.

print this article

Return to hosting news headlines
View Hosting News Archive

Share with: