Lives may be at risk because of data leaks, information
commissioner Richard Thomas is expected to say in a speech
today.
Data loss or abuse of information has led to addresses of
service personnel, police and prison officers and battered women
being exposed. "Sometimes lives may be at risk," says Thomas in an
advance copy of his speech.
Thomas also warns about the increased risks of data loss as
information is centralised.
"The more databases that are set up and the more information
exchanged from one place to another, the greater the risk of things
going wrong. The more you centralise data collection, the greater
the risk of multiple records going missing or wrong decisions about
real people being made."
Thomas's office reveals today that the number of data breaches
reported to his office has soared to 277 since HM Revenue and
Customs
lost 25 million child benefit records nearly a year ago.
The figures include 80 reported breaches by the private sector,
75 within the NHS and other health bodies, 28 reported by central
government, 26 by local authorities and 47 by the rest of the
public sector. Thomas's officials are investigating 30 of the most
serious cases.
Following serious data breaches in the past year, the
Information Commissioner's Office (ICO) has taken enforcement
action against Orange Personal Communications Services,
HMRC, the
Ministry of Defence, the
Department of Health,
Virgin Media,
Skipton Financial Services, the
Foreign and Commonwealth Office,
Carphone Warehouse and
Talk Talk.
In his speech Thomas will highlight the risks associated with
large databases, the need for tougher sanctions to deter data
breaches, and he will call on chief executives to take
responsibility for the personal information their organisations
hold.
Arguing that information can be a toxic liability, he will
challenge CEOs to ensure that the amount of data held is minimised
and that robust governance arrangements are in place.
Thomas will say that CEOs must take steps to ensure that
features which protect privacy are incorporated into the technology
that organisations use.
"It is alarming that despite high-profile data losses, the
threat of enforcement action, a plethora of reports on data
handling and clear ICO guidance, the flow of data breaches and
sloppy information handling continues.
"We have already seen examples where data loss or abuse has led
to fake credit card transactions, witnesses at risk of physical
harm or intimidation, offenders at risk from vigilantes, fake
applications for tax credits, falsified Land Registry records and
mortgage fraud, " says the text of Thomas's speech.
Thomas continues, "The number of breaches brought to our
attention is serious and worrying. I recognise that some breaches
are being discovered because of improved checks and audits as a
welcome result of taking data security more seriously.
"More laptops have now been encrypted and thousands of staff
have been trained. But the number of breaches notified to us must
still be well short of the total. How many PCs and laptops are
junked with live data?
"How many staff do not tell their managers when they have lost a
memory stick, laptop or disc? Many losses are probably simply
undetected...
"As government, public, private and third sectors harness new
technology to collect vast amounts of personal information, the
risks of information being abused increases. It is time for the
penny to drop...
"The more you lose the trust and confidence of customers and the
public, the more your prosperity and standing will suffer. Put
simply, holding huge collections of personal data brings
significant risks.'
The ICO has long argued that its powers, sanctions and resources
- fixed in another era - are now wholly inadequate and that a
stronger approach is required to help prevent unacceptable
information handling.
Earlier this year Parliament decided that the ICO should have
the power to impose substantial penalties for deliberate or
reckless breaches. The ICO says it is working with the government
to ensure this measure is implemented as soon as possible. It also
wants new powers to undertake inspections and audits of data
controllers.
Further information
A Surveillance Society, Home Affairs Select Committee
HMRC breach, Kieran Poynter, PWC
Ministry of Defence breach, Edmund Burton
Data Handling in
Government, Gus O'Donnell, cabinet secretary
Data
sharing, Thomas/Walport
Criminality information, Ian Magee
A Report on the Surveillance Society - for the information
commissioner by the Surveillance Studies Network