Maksim Kabakou - Fotolia

ICO needs greater powers to deal with true scale of data breaches

Data obtained from a series of freedom of information requests to the ICO and UK police forces shows the ICO is not seeing 92% of potential breaches

Only a fraction of breaches of the Data Protection Act are reported to the Information Commissioner’s Office (ICO), a study has revealed.

Just 1,089 breaches were reported to the ICO in the 12 months to March 2015, yet in the same period 13,000 devices that could hold sensitive data were stolen or went missing.

The data obtained from a series of freedom of information requests to the ICO and UK police forces by security and communications firm ViaSat UK shows ICO is not seeing 92% of potential breaches.

However, the number of stolen or lost devices containing sensitive information could be higher than 13,000 as precise, verified responses were received from only 31 of the UK’s 46 police forces.

The current Data Protection Act contains obligation to report breaches, which means there is no way of knowing how many of these unreported breaches put sensitive data at risk.

“We must remember that 13,000 thefts is the bare minimum. Considering that not all police forces could share this information, the real figure is likely to be many times greater and as a result, thousands of individuals’ private data could well be on borrowed time,” said ViaSat UK CEO Chris McIntosh.

“It’s clear that this discrepancy isn’t due to the ICO, but the framework it has to operate in. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimised,” he said.

According to McIntosh, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. “If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence that none of the 13,000-plus stolen devices represent a threat,” he said.

Read more on data protection reform

The study revealed that most of breaches reported to the ICO came from the healthcare and public sectors, which together accounted for 51% of reported breaches.

“These statistics suggest that the private sector is still greatly under-reporting the number of potential breaches it encounters,” said McIntosh.

“The ICO’s role is to encourage best practice in data protection. While it is clear that its financial penalties are aimed at this goal, it still needs more legal and financial muscle to drive its goals,” he said.

While compulsory reporting of every single potential breach could be difficult to enforce, McIntosh said it would give the ICO a clearer view of the problem and allow it to better mandate best practice.

“However, in the meantime compulsory encryption, and the power to police it, is the absolute minimum that the ICO should be granted,” he said.

In May 2015, the ICO called for a more practical approach to data protection regulation.

Information commissioner Christopher Graham said regulators must not get left behind as technology changes how personal information is used.

“The digital revolution has implications for every aspect of our lives – as citizens, as consumers, as individuals,” he told the 2015 European Conference of Data Protection Authorities being hosted by the ICO in Manchester.

“If we want to be effective doing what we do, we are going to have to learn to do some things differently,” he told representatives from around 90 data regulators and international bodies.

According to Graham, the best place to begin is by understanding what is expected by the people whose fundamental rights the data protection authorities are supposed to be defending.

“If we just carry on doing what we do the way we’ve always done it, regardless of what’s been happening over the past 20 or 30 years and what might happen over the next few decades, oblivious to what consumers and citizens are doing for themselves and ignoring what they are telling us about what they expect from us data protection authorities, we won’t be doing our job as regulators of data, guardians of privacy and policemen of the digital highway,” he said.

Read more on Privacy and data protection