Last year the UK Information Commissioner (ICO) issued 25 fines (22 of which were for data security breaches). This year ICO has issued 16 fines so far. We’ll have to see what happens in the next two months but my guess is we’ll be seeing a fair few more fines in the run up to Christmas.
In a recent blog post on ICO’s website, we are told that the local government sector has received fines totalling more than £2million since the ICO’s fining power begun in 2010. That’s a staggering amount of money which ultimately is paid out of the public purse (presumably to the detriment of the public services it was there to support).
We are also told in the blog that “all these breaches” could have been prevented if the Data Protection Act had been correctly complied with. I’m not sure I entirely agree with that statement; can total compliance really eliminate all risk of incidents occurring?
While it is true that organisations should implement rigorous data protection and information governance frameworks to help safeguard the data they handle (think “technical and organisational measures” required by the DPA), surely no amount of policies, guidance or training is going to prevent an accidental slip-up from occurring. The unfortunate reality is that we humble human beings do make the occasional mistake. We all know – or can imagine – how easy it is to misdial a number or click on ‘send’ and inadvertently send something to the wrong person. Indeed, our 2012 ICO Enforcement Tracker (please get in touch for a copy) revealed that of all the fines issued by ICO last year the overwhelming majority were for breaches involving misdirected communications.
So practically speaking, what is the answer?
Well, the best solution is surely to assess and manage the risks in the hope that you can ensure no harm or damage is suffered in the event an incident occurs. The best thing you and your organisations can do is (i) sit up and pay a bit of attention to the types of data you handle; (ii) get fully up to speed with what your legal obligations are in relation to it; and (iii) implement a robust system to demonstrate not only that you are doing everything possible to avoid a breach occurring in the first place, but also so that you can be confident you have a proper action plan in place to manage an incident if and when it arises.
It also goes without saying that we can learn an awful lot from the mistakes that others have already made; we know that the “hot spots” for regulatory action include things like misdirected communications, lack of policies and training, and the failure to encrypt portable media that contains personal information. Organisations should exploit that knowledge and use it to build better and more effective breach management strategies.