Security breaches - it's not going to go away...

Since the very public loss of personal information by HMRC back in November last year, security of personal data has been grabbing the headlines. From laptops stolen or lost in public places, to bin bags containing application forms left on the street, it's clear that organisations need to take better care of personal information.

The Information Commissioner's Office (ICO) thinks so too. Today, it has issued a press release confirming that in just six months it has received notification of almost 100 data security breaches.

Data protection expert Peter Hall says, "The breakdown of these notifications makes interesting reading, with well over half coming from the public sector. While the public sector may appear to be the worst offender, it's simply being more open about its breaches and seeking to remedy previous failings. This figure is likely to be just the tip of the iceberg, particularly where the private sector is concerned."

Organisations are not required under the Data Protection Act 1998 to report security breaches to the ICO, but they are required to ensure that they have taken appropriate measures against unauthorised or unlawful processing of personal information.

The ICO has published guidance for organisations who wish to have a policy in place on how to deal with security breaches. It believes that serious data breaches should be notified to the ICO and has produced additional guidance on what may constitute a serious breach, as well as the information it would expect to receive about the breach.

Information Commissioner Richard Thomas and Dr Mark Walport of the Wellcome Trust are currently carrying out a review of Data Sharing and the application of the Data Protection Act in the UK. The ICO have also called for tenders to review EU Data Protection Law. In addition, the European Data Protection Supervisor has called for data breach notification rules currently being applied to telecoms providers and ISPs to be extended to organisations such as those in the financial services sector.

Peter says, "The legislative framework for the protection of personal information is certainly coming under scrutiny, and changes may not be far away. Now is the time to review your processes and products. Building privacy into these processes and products should not be considered as a mere afterthought."