ARN

UK privacy watchdog slams databases, year of data loss

Accountability rests at the top, watchdog says, and it is up to CEOs to ensure they minimize the amount of data they hold and implement robust governance.

The number of data breaches reported to the UK's Information Commissioner's Office (ICO) has soared to 277 in almost a year, new figures released Wednesday revealed.

In almost 12 months, 80 of those breaches concerned the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities, and 47 by the rest of the public sector.

But Thomas also noted that the amount of data breaches that have been reported to the ICO is might "still be well short of the total."

In the past year, the ICO has taken enforcement action regarding data losses against HM Revenue & Customs, the Ministry of Defence, the Department of Health, the Foreign and Commonwealth Office, Virgin Media, Skipton Financial Services, Carphone Warehouse, TalkTalk and Orange.

In his keynote at RSA Europe 2008 in London yesterday, Thomas said accountability rests at the top, and it is up to CEOs to ensure they minimize the amount of data they hold and implement robust governance. Chief executives need to stop leaving data security up to IT workers, lawyers and human resources, said Thomas.

Thomas also revealed that the Information Commissioner's Office could be set to receive more powers and more resources in only a few weeks time. The ICO has been lobbying for more powers, stronger sanctions and more resources for years. Earlier this year, parliament granted the ICO the power to impose penalties for deliberate or reckless breaches of data. In July the Ministry of Justice has published a consultation on changes to the powers and funding of the ICO, stating it needed more money and more powers to be effective.

The Queen's speech, slated for 3 December, is expected to reveal that the ICO would be granted the power to do spot inspections of firms. At the moment, the ICO has to receive permission from the firm that they want to inspect. He could also receive more resources to conduct audits. Currently the entire ICO team that conduct audits is only five people strong.

Thomas expressed concerns about the government's recent move to roll out large centralized databases, such as the communications database.

"The more databases that are set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralize data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made," he said.

"As government, public, private and third sectors harness new technology to collect vast amounts of personal information, the risks of information being abused increases. It is time for the penny to drop," said Thomas.

Page Break

But Ira Winkler, security expert, and president and acting CEO of ISAG, said there are benefits to centralized databases. "Centralized databases provide generally good security benefits as long as they are well maintained and securely administered," said Winkler, author of Spies Among Us.

Winkler argued that in a model where there are scattered databases across government, it increases the risk of a compromise, whereas if data is consolidated and centralized, it would be easier to manage. "It is easier to focus on one system, than to bring lots of smaller systems under control," he said, adding that data breaches are happening anyway under the scattered model.

Shadow security minister, Baroness Pauline Neville Jones, who made the closing keynote at RSA Europe yesterday, voiced her support for a centralized database that would be an important investigative tool for tracking terrorists. But, she added, the government must ensure that the powers of the state are controlled and not excessive.

"It is important that government access to such material is strictly controlled to restore public confidence," said Neville Jones. "But we must not turn into a surveillance state."

"The government has not understood that just because the information is in its possession doesn't mean that it has ownership of that information. Don't treat the information as though it is ours, but treat it as though it's yours," she told an audience of press representatives.

Neville Jones also said that a Conservative Government would give the ICO more regulatory powers and would look at expanding the role in a systematic way that would see more than one Commissioner in the ICO.