The information commissioner has criticised the mishandling of personal data by the private and public sectors, in the light of hundreds of data breaches reported to his office over the past year.
In a speech to the RSA Conference Europe 2008 on Wednesday, Richard Thomas said that 277 data breaches had been reported since last November. Thirty serious incidents, in both the public and private sectors, are still under investigation.
"I can reveal today that the number of data breaches reported to my office has soared to 277 since November 2007," said Thomas. "There have been 28 breaches by central government; 75 within the NHS and other health bodies; with 80 reported in the private sector. We are currently investigating 30 of the most serious cases."
Thomas said that, in the past year, his office has taken enforcement action regarding data losses against HM Revenue & Customs, the Ministry of Defence, the Department of Health, the Foreign and Commonwealth Office, Virgin Media, Skipton Financial Services, Carphone Warehouse, TalkTalk and Orange.
Thomas urged industry and government leaders to avoid being "asleep at the helm" when it comes to safeguarding information. Both the public and private sectors must be aware of the risks of abuse of massive databases of personal data, said Thomas.
"It is time for the penny to drop," said Thomas. "The more databases that are set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made. The more you lose the trust and confidence of customers and the public, the more your prosperity and standing will suffer."
Thomas said that organisations must adhere to the principles of data minimisation, retaining as little data as possible, to avoid damage to their reputation through data loss.
On Wednesday, the Home Office defended its proposed National Identity Register, the huge, centralised database behind the ID cards scheme.
The government department has also proposed a centralised database containing the details of communications made by every UK citizen, including telephone caller and receiver, email sender and recipient, and web-browsing habits. The Home Office said that such far-reaching databases were necessary due to the evolution of technology.
"The communications revolution has been rapid in this country and, because of changes in technology, the way in which we collect communications data needs to change too. If it does not, we will lose this vital capability that we currently have and that we all take for granted in fighting and solving crime," said a Home Office spokesperson. "Of course, there is a balance between privacy and our liberty, which is why we have said we will be consulting on this and seeking a political consensus."
Regarding the proposed communications database, the Home Office added that "no decisions have been taken" and that it will be "consulting in the new year".
Talkback
This post has been removed by a moderator.
A solution is required to centrally manage, monitor and control precisely which removable storage devices and applications are permitted to run on government networks. A system that minimises user access rights to data, applications and removable media by operating a whitelist of known, trusted and permitted applications and devices. By default, end users should have no access to removable media and where this is permitted, via centralised control of the user privileges, encryption can be enforced on the data or the device. This “default deny” approach will ensure clear lines of responsibility and accountability for data being transferred and fosters a culture of data security among personnel that are granted access to citizen data. All data transferred, as well as attempts to do so, shuld be centrally available for audit. This will allow for scrutiny of departments’ data handling procedures, aid reporting and answer the requirement for departments to keep records in the event of a spot check by the Information Commissioner.
Address these Data Breaches:
* Remove the risk of data loss through the unauthorised use of removable media
* Enforce encryption on removable media
* Remove the risk of data leakage or data theft as a result of unauthorised applications
* Prevent unknown or malicious code from running, including malware; zero-day threat and other destructive viruses that target systems and data; keylogger software or other spyware
* Audit device and application usage
* Maintain IT system integrity and improves system performance and network bandwidth
* Enable compliance with evolving directives or regulations governing privacy
These solutions exist today, so their should be no more excuses.