ICO reveals even more data breaches

In the year since HM Revenue and Customs lost the records of 25 million people, some 277 data breaches have been reported to the Information Commissioner’s Office(ICO).

Information Commissioner Richard Thomas is set to give a speech at RSA Europe later today, where he is expected to slam the government’s move to large databases and call for all organisations to minimise the personal data they hold.

Of the 277 reported to the ICO, just 80 were from the private sector, with the rest in the public sector. The NHS was responsible for 75, while central government reported 28 and local authorities reported 26. The remaining 47 were from other public sector bodies.

The ICO added it is investigating the 30 most serious cases.

Thomas said in a statement: “The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously. More laptops have now been encrypted and thousands of staff have been trained. But the number of breaches notified to us must still be well short of the total.”

That such breaches continue to occur in the face of previous high profile cases and the threat of enforcement is alarming, Thomas said, adding that data loss can leave individuals open to abuse, fraud and even physical harm.

“Addresses of service personnel, police and prison officers and battered women have also been exposed. Sometimes lives may be at risk,” Thomas said.

Phil Booth, the national coordinator of lobby group NO2ID, said: “The snooping-obsessed government is losing more personal information than ever, because it has seized more than ever. You can't trust a stalker state.”

The government has been criticised for creating a database state, and keeping too much information on citizens – especially in the face of the soon-to-be launched national identity card.

The ICO renewed its call for stronger powers, saying it was working with the government to ensure moves to allow it to impose stricter penalties are implemented as soon as possible. However, Thomas remains sceptical about requiring organisations to report such breaches, believing each case requires a different response.

So far this year, the ICO has taken enforcement action – generally a letter requiring changes to data processes at the risk of prosecution – against Orange Personal Communications, HMRC, the Ministry of Defence, the Department of Health, Virgin Media, Skipton Financial Services, the Foreign and Commonwealth Office, and Carphone Warehouse.

Email to a friend

Print this page