Lives may be at risk because of data leaks, the Information Commissioner Richard Thomas is expected to say in a speech today.
Data loss or abuse of information has led to addresses of service personnel, police and prison officers and battered women being exposed. “Sometimes lives may be at risk,” says Thomas in an advance copy of his speech.
Thomas also warns about the increased risks of data loss as information is centralised.
“The more databases that are set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made.”
Thomas’s office reveals today that the number of data breaches reported to his office has soared to 277 since HM Revenue and Customs lost 25 million child benefit records nearly a year ago.
The figures include 80 reported breaches by the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities and 47 by the rest of the public sector. Thomas’s officials are investigating 30 of the most serious cases.
Following serious data breaches in the past year, the Information Commissioner’s Office [ICO] has taken enforcement action against Orange Personal Communications Services Ltd, HMRC, the Ministry of Defence, the Department of Health, Virgin Media Ltd, Skipton Financial Services, the Foreign and Commonwealth Office, Carphone Warehouse and Talk Talk.
In his speech Thomas will highlight the risks associated with large databases, the need for tougher sanctions to deter data breaches and he will call on chief executives to take responsibility for the personal information their organisations hold.
Arguing that information can be a toxic liability, he will challenge CEOs to ensure that the amount of data held is minimised and that robust governance arrangements are in place.
Thomas will say that CEOs must take steps to ensure that features which protect privacy are incorporated into the technology that organisations use.
“It is alarming that despite high profile data losses, the threat of enforcement action, a plethora of reports on data handling and clear ICO guidance, the flow of data breaches and sloppy information handling continues.
“We have already seen examples where data loss or abuse has led to fake credit card transactions, witnesses at risk of physical harm or intimidation, offenders at risk from vigilantes, fake applications for tax credits, falsified Land Registry records and mortgage fraud, ” says the text of Thomas’s speech.
Thomas continues: ‘The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously.
“More laptops have now been encrypted and thousands of staff have been trained. But the number of breaches notified to us must still be well short of the total. How many PCs and laptops are junked with live data?
“How many staff do not tell their managers when they have lost a memory stick, laptop or disc? Many losses are probably simply undetected…
“As government, public, private and third sectors harness new technology to collect vast amounts of personal information, the risks of information being abused increases. It is time for the penny to drop…
“The more you lose the trust and confidence of customers and the public, the more your prosperity and standing will suffer. Put simply, holding huge collections of personal data brings significant risks.’
The ICO has long argued that its powers, sanctions and resources – fixed in another era – are now wholly inadequate and that a stronger approach is required to help prevent unacceptable information handling.
Earlier this year Parliament decided that the ICO should have the power to impose substantial penalties for deliberate or reckless breaches. The ICO says it is working with the government to ensure this measure is implemented as soon as possible. It also wants new powers to undertake inspections and audits of data controllers.
Chris Mayers, chief security architect at Citrix, comments on Richard Thomas’s speech:
“What strikes me about his latest comments is that many of the exposures he references have only came to light because of a stricter disclosure and investigation regime. If it wasn’t for all the publicity about data loss – and the resulting government reports – many organisations might not even have noticed the data was exposed.
“With the Information Commissioner suggesting that the situation is only going to get worse, we need to stop pondering and start acting. All organisations handling sensitive data need to realise there is nothing more important than their responsibility to keep that information secure – which means ensuring data is properly encrypted, or better still, never leaves the datacentre.”
A Surveillance Society, Home Affairs Select Committee
Ministry of Defence breach, Edmund Burton
Data Handling in Government, Sir Gus O’Donnell, Cabinet Secretary
Data sharing, Thomas/Walport
Criminality information, Sir Ian Magee
A Report on the Surveillance Society – for the Information Commissioner by the Surveillance Studies Network