Top officials to be held to account for data losses
Officials across the public sector, including permanent secretaries and chief executives of NHS trusts, are to be forced to take data protection “much more seriously” under proposals due to be laid out by Gus O’Donnell, the Cabinet Secretary.
In the coming weeks Mr O’Donnell is expected to present the findings of a report on data security. The report was commissioned by the Prime Minister in the wake of the loss of 25 million child benefit claimant records by the HMRC in November.
The Information Commissioner, Richard Thomas, who has seen a draft of the report, said that the new measures focused on “issues of accountability and governance”, indicating that the heads of departments would be personally responsible in the event of serious data breaches.
“It has to be the likes of chief executives (of NHS trusts) and permanent secretaries who are held accountable when things go wrong,” Mr Thomas told a security conference in London. “They can’t simply make assumptions that everything is in the hands of the ‘techies'”.
Details of the tougher penalties for information losses emerged as the Information Commissioner’s Office said it had received reports of 94 further data breaches – affecting both the public and private sectors – since the HMRC incident.
Nearly a third of the breaches in the public sector, which ranged from “the minor to the very serious”, Mr Thomas said, were in central government, while a fifth affected the NHS. Of the breaches in the private sector, more than 50 per cent were in financial institutions.
The ICO is due to begin using new powers to ‘spot check’ both public and private sector organisations in the event that a data breach is suspected later this year.
“There are going to be new requirements for Whitehall departments and new guidance for the public sector at large,” Mr Thomas said. “It’s not just about data security. We need to ask a whole range of questions, such as why so much information is being collected. Why is it being retained for so long? Why are laptops which hold the information not being encrypted? And why are such laptops being left in the backs of cars?”
The BERR report, which was produced in conjunction with Price Waterhouse Coopers, the financial services firm, found that two thirds of British companies did nothing to prevent confidential information leaving the company premises on USB sticks and discs, and that four fifths of companies which had had computers stolen did not encrypt their hard discs.
More than half of companies now also allowed their employees to access the company database remotely, the report found, and 13 per cent had detected “unauthorised outsiders” in their networks. Those companies that did allow remote access to their network were more than twice as likely to experience a security incident.
Andrew Beard, an information security director at Price Waterhouse Coopers and co-author of the report, said: “Senior management is now certainly beginning to take security seriously, but the seriousness of breaches is as high as it’s ever been.”
Health Direct thinks that this new spin is akin to shutting the stable door after the horse has bolted.