Data breaches are likely to increase as councils clamber to join up services due to cost constraints, says deputy...
Information Commissioner David Smith.
"There is a real risk we will see more breaches; as more joined-up services are done in a rush, the implication is that data security may not be thought through."
The warning comes as other figures in local government have cautioned against a hasty move to joined-up networks.
Next month the ICO will launch a strategy code of practice to shared services.
Speaking at the Infosecurity 2011 event in London, Smith outlined outsourcing as another area of concern, pointing out that organisations are still responsible for who controls their information and could be liable even without having any personal information in their possession. "You can't outsource responsibility," he said.
In defence of ICO fines
Smith also hit out against reports that the ICO had only "punished" 1% of organisations in breach of the Data Protection Act over the past year, by either forcing them to issue a formal undertaking to change practices or pay a fine.
He said the figure of 2,565 organisations in breach of the act, quoted by ViaSat from a Freedom of information request, was misleading. ViaSat said this number covered a time period of one year, but Smith said it dated back to November 2009, which distorted the findings.
"The idea that we let the other ones go by without doing anything is completely false. In many cases the organisations were already undergoing formal undertakings," he added.
Just four organisations in serious breach of the act have been fined by the ICO since its powers were extended in January 2010. Smith said this is because it takes a long time to enforce fines, which have to be robust as they are open to an appeals process.
But he admitted that more fines would send out a strong message to organisations. "I'm not sure if it's just a question of numbers. If we issued another 20 regarding breaches using faxes, I don't think that would necessarily change the message. But other areas of security breaches have not yet been subject to monetary penalties and when they are I think that will send out an important message to organisations."