Groundhog Day for Data Protection

With the ongoing breaches of personal data by public sector organisations and resultant calls by the privacy watchdog for greater penalties, it seems the UK is making no progress on data protection.

Just this week the Information Commissioner’s Office (ICO) issued a monetary penalty of £120,000 for losing an unencrypted non password protect USB memory stick containing sensitive personal data.

Have UK data handling organisations learned nothing in the past five years?

“We are seeing the same pattern we did in the run up to the HMRC data breach in 2007,” says Stewart Room, partner at international legal firm Field Fisher Waterhouse.

He believes the increasing monetary penalties against public sector organisations like the Greater Manchester police are the first rumblings ahead of another major data breach.

It remains to be seen whether there will be another data breach that will equal or exceed the HMRC fiasco, but the ongoing breaches nonetheless prove that UK data protection is not getting better.

Did the government’s data handling review after the HMRC really achieve anything?

In many senses, the data handling review appears to have had an effect that did not last much more than a year, according to Room.

“The fact that organisations like the Manchester Police are still storing sensitive data on unencrypted USB memory sticks indicates that they are slipping back into bad practices; the data handling review seems largely forgotten,” says Room.

He suspects we could be on the verge of another HMRC-style data breach because history appears to be repeating itself in terms of data protection, but how bad will it have to be to make a real difference?

The ICO argued long and hard for the monetary penalties, but they seem to be making little impact. Is there any point in continuing the way we are, simply waiting for HMRC-2, or is it time to do something completely different, before there is another major data breach?

Fortunately the HMRC breach so far does not seem to have had any devastating effect on the lives of the people whose data was lost, but that may not be the case next time around.