BeYourself different approach

Serious Data Breaches in Local Authorities

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat.
Hutton Henry

Newspapers stated today  "Councils have lost or misused private data thousands of times, says watchdog" which is an eye-catching headline.


The newspaper article explains that data has been lost or stolen thousands of times and the watchdog proposing "Big custodial sentences to be introduced for the most serious data breaches".

getting_away_from_negativity

Wanting to know more and what data has been stolen (especially considering our focus is on securing server systems) I skimmed-through the Watchdog's report.

It's an interesting read, because many of the "data breaches" are human error (sending two letters in one envelope, leaving something on a tube, sending an email to the wrong person) and or really bad luck (staff member is mugged/robbed with laptop or mobile phone in their bag). It is no wonder many of the staff are not disciplined.

Other than controlling the flow of e-mail (using something like Rights Management) and ensuring laptops and mobile devices are encrypted, it doesn't appear that systems alone could prevent many of the data breaches.


The business model is interesting -  Local Authorities employ thousands of people who in turn deal with thousands of people.  With high public interaction, it would seem normal to have some margin of error. Errors that are very visible because it affects every one of us.  

I wonder how much in terms of percentage these data issues are versus the positive number of interactiions/transacctions a Local Authority makes?

It is right to bring this information together, to show there's an issue.  But what is the solution? Reading the report further there are more recommendations than reported in the newspaper:

1. The introduction of custodial sentences for serious data breaches.
2. Where a serious breach is uncovered the individual should be given a criminal record.
3. Data protection training should be mandatory for members of staff with access to personal information.
4. The mandatory reporting of a breach that concerns a member of the public.
5. Standardised reporting systems and approaches to handling a breach.
6. The extension of the ICO’s assessment notice powers to cover local authorities.

 

Personally I would like to see standards to be met with the encryption, e-mail protection and data safeguarding - operational elements of information technology that may help if an employee makes a mistake.  Would a standard data security / encryption solution across all local authorities be a good idea?

There were other recent headlines regarding Local Authorities still running Windows XP and Windows Server 2003.  

Maybe it's time to upgrade and take advantage of security in newer software.  But, that alone wouldn't address most of the issues highlighted in the report.


 

More Posts

M&A Scorecard