Infosec 2012: Three main data-related risks to business

There are three main risks to business related to data protection, according to the ICO.

There are three main risks to business related to data protection, according to the Information Commissioner's Office (ICO).

The main risk is the reputational damage to an organisation, Information Commissioner Christopher Graham told Computer Weekly.

"It does not look good when the ICO imposes a civil monetary penalty on an organisation for a serious breach of the data protection principles," he said.

Graham is to discuss the civil monetary penalty regime and how this is changing the behaviour of UK organisations at Infosec Europe 2012, 24 – 26 April in London.

So far, the ICO has imposed 14 monetary penalties, which can be up to £500,000.

The highest to date of £140,000 was imposed on the Midlothian Council for sending sensitive personal data about children to the wrong people on five separate occasions.

The second risk to business, related to the first, is the cavalier attitude towards disposing of computer equipment that contains personal data, said Graham.

At Infosec, he is to unveil the results of some mystery shopping of computer equipment done on the internet by the ICO.

All the information commissioner would reveal ahead of the event is that 11% of computers bought online and analysed contained personal data.

"We found 34,000 files containing sensitive personal or corporate data; although we saw some degree of data wiping, there is still too much available on second hand kit," said Graham.

Rogue or poorly trained employees represent the third important risk to business related to the protection of personal data, according to the information commissioner.

"This is a common theme in civil monetary penalty cases; with someone within an organisation being very careless or going rogue," he said.

Graham lays some of the blame for rogue insiders at the door of the courts. "My concern is that the courts either do not have the power or appetite to impose appropriate sentences," he said.

The going rate, he said, for a breach of section 55 of the Data Protection Act is only £130. This does not provide any disincentive, so people are making a lot of money selling personal information.

In a bid to bolster its ability to police efforts to protect personal information, the ICO is seeking to extend its powers of compulsory audit in the public sector to the NHS and local government.

However, Graham emphasises that the ICO's regulatory approach is to strike a balance between punishment and reward.

"There is a lot we can do to help in terms of advice and guidance; we have a very successful good practice audit scheme that is attracting a lot of interest from data controllers," he said.

Any organisation can apply to the ICO for a free audit to check compliance with the Data Protection Act. "This is the only free consultancy you can get, and it will make sure you are in a good place and will not make mistakes in future," said Graham.

He insists that the ICO is a "modern and proportionate regulator" that is very considered in the use of its powers.

"The emphasis is very much on helping organisation to get [data protection] right," he said.

The information commissioner will discuss these topic in more detail and unveil the results of the ICO's investigation into data wiping of second had computer equipment at  15:00 on Wednesday 25 April in the keynote theatre at Infosec.

Read more on Privacy and data protection