InfoSec 2011: DPA breached after NHS security fail

gallery

Another NHS body has breached the Data Protection Act after a network access failure, the Information Commissioner’s Office (ICO) has confirmed.

Lax IT security measures were to blame, as the NHS Birmingham East and North allowed employees to potentially access restricted sensitive data, the ICO said today.

Workers at two other nearby Trusts could have accessed the information as well.

Organisations are still getting basic data protection wrong, deputy commissioner David Smith told delegates at the InfoSecurity 2011 conference, being held in London this week.

“A lot of this is basic stuff. My key message... of course the technical side of security is important... but there is still a big message about the basics,” he said.

“So many organisations are not getting the basics right.”

Despite disappointment surrounding such failings, Smith said the message was at least partially getting through to UK firms.

Of all cases reported to the ICO in 2011, 45 per cent were due to loss or theft of data. This figure stood at 60 per cent last year.

More powers

The ICO also today welcomed additional powers to fine organisations for the most serious incidents of making unwanted marketing phone calls or sending unwanted marketing emails to consumers.

For such cases, the £500,000 cap remains in place – something Smith indicated the ICO would like to see bumped up, even though it has proven adequate so far.

The additional powers will form part of an amendment to the UK’s Privacy and Electronic Communications Regulations (PECR), coming into force on 25 May 2011.

The changes to PECR also cover the need for websites to ask for permission before using cookies to track user behaviour.

“The ICO has been calling for increased powers to regulate breaches of PECR for some time,” said information commissioner Christopher Graham.

“We will be issuing guidance to reflect the changes that are being introduced.”

Email to a friend

Print this page