PROTECTING CONSUMER DATA
Wake Up and Smell the Monetary Penalty
Lessons need to be learned from the UK Information Commissioner's Office (ICO) undertakings and recent launch of their 2011/12 annual report. Commenting on the report findings, ICO’s Commissioner Christopher Graham said that organisations are learning ‘the hard way’ about the consequences of mishandling people's personal information, and others need to learn the lessons from the ICO.
‘Over the past year the ICO has bared its teeth and has taken effective action to punish organisations many of which have shown a cavalier attitude to looking after people's personal information. This year we have seen some truly shocking examples, with sensitive personal information, including health records and court documents, being lost or misplaced, causing considerable distress to those concerned. This is not acceptable and today's penalty shows just how much information can be lost if organisations don't keep people's details secure. We hope these penalties send a clear message to both the public and private sectors that they cannot afford to fail when it comes to handling people's data correctly’ said Christopher Graham.
The annual report showed that there had been an equal number of data protection complaints (12,985 complaints) received by the ICO in the year 2011/12. The report shows a 60% increase in the number of data audits carried out by the ICO good practice team. Although the total number of organisations audited by the team only amounts to 42, it is worth noting that of those organisations 90% felt that the process raised awareness of the importance of data protection in their organisations. That in itself is a worrying statistic; 90% of those organisations were not as aware of the risks to their data as they should have been!
The ICO is also extending its audits to cover public authorities' compliance with the Freedom of Information Act and has also introduced advisory visits to help small- and medium-sized organisations. Speaking at the SC Magazine Total Security Conference in London, Dr Simon Rice, principal policy adviser (technology) at the ICO, said that the 19 monetary penalties issued to businesses was ‘19 too many’ and it was ‘not something that the office enjoys doing and it does not represent everything that we do’.
The report said that the ICO had received over 600 self-reported data protection breaches, leading to it issuing ten civil monetary penalty notices totaling £1,171,000 in this year, along with 76 undertakings. Christopher Graham, said the number of penalties it has issued should spur companies on to take better care of their data.
As the ICO send out a clear message to the UK business community and appear resolute on clamping down on poor data handling practices, those responsible for handling personal data need to act to ensure that the risk of sensitive and personal data exposure is properly managed through continuous assessment and review.
Gaining management visibility of data handling and storage practices across an entire data environment is an invaluable part of the data protection process and an essential starting point in any risk mitigation strategy. Data auditing solutions provide the in-depth analysis and reveal data repositories, whether within scope, or outside of the businesses understanding of their process. Doing so ensures that unsecured, unstructured sensitive and regulated information is regularly identified and an automated mechanism may be put in place to provide on-going monitoring of where critical information resides and as a means to proactively react to vulnerabilities appearing in the business process.
Wake up and smell the monetary penalties maybe stark messaging, but the new reality of how the ICO is currently driving its data protection campaign and becoming more intolerant of lax and insufficient security measures in protecting UK consumer data.