Warwick Ashford is chief reporter at Computer Weekly. He joined the CW team in June 2007 and is focused on IT security, business continuity, IT law and issues relating to regulation, compliance and governance. Before joining CW, he spent four years working in various roles including technology editor for ITWeb, an IT news publisher based in Johannesburg, South Africa. In addition to news and feature writing for ITWeb’s print publications, he was involved in liaising with sponsors of specialist news areas on the ITWeb site and developing new sponsorship opportunities. He came to IT journalism after three years as a course developer and technical writer for an IT training organisation and eight years working in radio news as a writer and presenter at the South African Broadcasting Corporation (SABC).
email@example.com 020 8652 8505 Active Warwick Ashford False True
The Information Commissioner's Office (ICO) has imposed only six monetary penalties against organisations for data breaches since gaining the power in April 2010, says deputy commissioner David Smith.
"These penalties are not imposed for losing data, but for failing to meet the requirement of addressing the risk and having appropriate measures in place," he told attendees of a Trusted Computing seminar, hosted by Wave Systems in London in association with ISSA-UK.
Smith highlighted several other trends that have emerged from the ICO's data breach investigations and audits.
"It's hard to believe, but UK organisations continue to lose portable storage media containing unencrypted personal data," he said.
Government departments are improving in this regard, said Smith, but down at lower levels, such as doctors' surgeries, people still think data loss will not happen or that the rules do not apply to them.
The ICO has identified unnecessary data retention as one of the biggest problems. "If organisations do not keep personal information they do not need, they are less likely to lose it," he said.
Training and awareness of data protection issues is another common problem. "Organisations need to realise that effective data protection requires more than a tick-box exercise. It needs to be backed up with a culture in which data protection is taken seriously," he said.
Policies and procedures also need to be related to the jobs that people do, not just a set of general principles that do not spell out what people should do to protect data in their particular role in an organisation, said Smith.
Many organisations are still failing to monitor contractors and data processors, he said, and in general there is room for improvement in governance arrangements.
Data protection is not just about security, said Smith, it is also about not retaining personal data unnecessarily and controlling access to both computer networks and work environments.
Other common problems include:
- Insecure fax and e-mail communication systems and procedures;
- Lack of clear responsibility for security where services are shared;
- Failure to ensure access rights of movers and leavers are updated;
- Failure to understand that hacked websites are a big risk to data security.
UK organisations need to realise that examples of good practice do exist and that security improvements need not necessarily be expensive, Smith said.
MetaKeywords MetaDescription Sensitive Landingpage False