Several warnings to business from ICO at Infosec 2011

Deputy Information Commissioner David Smith had several warnings for business organisations at this morning’s keynote at Infosec 2011 in London.

Looking to future, Smith made several references to recently and soon to be acquired extra powers for the ICO.

Many organisations are still not getting the basics right, he says, and the cardinal sin in the ICO books is any failure to have a proper managed approach to risk.

With 20 cases under investigation that may lead to monetary policies being imposed and up to 60 audits planned, the ICO clearly means business in 2011.

The results of past audits are published on the ICO’s website, so this is probably a good place for UK organisation to start any review to indentify potential data protection weaknesses.

Areas that UK business should be looking at include the theft or loss of unencrypted laptops and portable storage media, failure to clear data that is no longer required, failure to monitor contractors and data processors, poor communication and training around data protection, and failure to relate policies and procedures to jobs.

Many fax and email communications are still insecure, says Smith, and failure to prevent loss or exposure of personal data through email is likely to feature in monetary penalty cases soon.

Physical security is another common failing. Smith says organisations tend to focus on IT security at the expense of physical security. Access to buildings and hardware is all too often overlooked, he says.

The biggest changes in 2011 are likely to be for service providers. From May, all service providers will be required by law to report all data breaches, and all website owners will have to ensure they are not storing any information on users PCs that is not strictly necessary for the provision of the service.

“From May, this can take place only with the consent of the user,” says Smith. Any website operator failing to do this, will be held accountable.