Information Commissioner tells a teacher off for losing a laptop, but
critics say this is not enough
The Information Commissioner has reprimanded a school and a hospital
for data breaches, but is still facing criticism for going too easy on
organisations failing to protect their data.
Freehold Community School in Oldham, may have exposed 90 pupils’
personal information when an unencrypted laptop was stolen from a
teacher’s car, while NHS Birmingham East and North breached the Data
Protection Act by failing to restrict access to files on its IT
network, the Information Commissioner’s Office (ICO) has said.
The announcements came while the ICO was slated for acting on data
breaches so rarely that its fines are “a risk organisations are
prepared to take,” according to critics.
Public sector still unfairly targeted?
The ICO has only fined four organisations for data breaches, despite
having 2565 incidents reported to it in the year since it gained the
right to fine offender, according to a Freedom of Information request
made by security firm ViaSat.
ICO deputy director David Smith attacked the figures when they were
released, calling them “inaccurate”, and suggested a revision downward
to around 600 reported breaches. ViaSat stood by the figures, pointing
out that the data came from the ICO in response to a specific request
about data breaches.
“Our request was clear in that we wanted information on the number of
data breaches,” said ViaSat chief executive Chris McIntosh. “Even if
you look at the revised figures the ICO has released it is still clear
that that monetary penalties have been enforced in less than one
percent of the data losses it has dealt with.”
The new reprimands did not include fines, and do nothing to counter
McIntosh’s other criticism, that the ICO hits the public sector
unfairly. “The public sector… dutifully reports its failures under the
data protection act and receives more, and larger, penalties as a
result,” said McIntosh in a statement.
Promise to do better
Joyce Willetts, the head of Freehold Community School, has promised
that laptops will not be stored in cars in future, all data taken off
site will be encrypted, and staff will be trained.
Meanwhile in Birmingham, Denise McLellan, chief executive of the NHS
Birmingham East and North trust has promised to increase security,
after the personal records of thousands of members of staff were
potentially exposed to staff at three NHS trusts.
“Our focus as a regulator is on getting bodies to comply with the Data
Protection Act,” said an ICO statement. “This isn’t always best
achieved by issuing organisations or businesses with monetary
penalties. The big stick is there, but doesn’t need to be deployed all
the time to have an effect.”
The ICO ’s guidance on the use of its powers to issue a monetary
penalty is here (PDF)
This statement did little to placate McIntosh, who reiterated his
criticism of ICO inaction: “The ICO is fond of saying that ‘you have
to be selective to be effective’ but by being too selective all that
happens is that organisations, especially in the private sector, can
begin to view the threat of a penalty or an undertaking as something
that is so unlikely as to be beneath notice,” he said. “For example,
organisations could easily look at the £60,000 penalty meted out to
A4e, its size compared to the company’s £145m turnover, its rarity and
the fact that A4e is still receiving plenty of business, from the
Government no less, and feel that the risk of ICO action is one they
are prepared to take.”
McIntosh and the ICO agree on one thing however. At Infosec Smith is
reported as asking for more powers to deal with those who breach the
data protection act.
McIntosh agrees: “The ICO is right to push for more powers, and we
fervently hope it can get them,” he said. “However, it would be nice
to see those it has exercised a little more.”
The ICO has indeed been given more powers in another area related to
data breaches. It can fine companies that send unwanted spam up to
£500,000.
No comments:
Post a Comment