Wednesday, 23 September 2009

Lost laptops and discs

Excellent session this morning from David Smith, Deputy Information Commissioner on data security, particularly in relation to the spate of data losses which received so much attention in the press. Of course, the problem of data loss has changed dramatically in recent years - it used to be piles of paper files found on rubbish tips - now hundreds of thousands of records can be stored on memory sticks which are much easier to lose!

The first incident to receive a lot of press coverage was the child benefit discs which illustrated an important concept - that of data minimisation. A request for a particular set of information had been received, and instead of just producing this, a download of the complete dataset had been produced - because it was easier. The second major incident - that of the loss of an MoD laptop containing 600,000 personal records - illustrated a couple of important points. Why were so many records needed on one laptop? Why weren't they encrypted, and (more importantly), this was the fourth time it had happened - what sort of incident response had they got in place?

His analysis on why data security breaches happen included the statement that personal information is not sufficiently valued by managers and that policies and procedures around data security are not always fit for pupose - in one instance that he quoted the policy ran to hundreds of pages and therefore was neither read nor referred to. There's also the "Facebook generation effect" where today's young people have a different attitude to personal information.

The ICO have responded in a number of ways - a breach notification system has been put in place where data loss over a certain threshold and where there is potential harm to individuals is reported, (harm includes possible identity theft and release of information about subject's private lives such as medical records). since its introduction in November 2007 there have been 670 breaches reported, with the NHS winning in terms of numbers! Stolen data and hardware is the biggest cause, but also significant is the recycling of hard drives, where a number purchased from eBay were found to contain personal data.

The ICO can also carry out spot checks to audit an organisation's data security, and are currently pressing for more powers in this area. Next year for example they will be able to fine organisations for data breaches.

Privacy by design was the closing message - privacy should be designed into all new projects and a privacy impact assessment carried out before any project starts.

Some things to think about as we review our data security policies.

1 comment:

Chris Willis said...

The UCISA workshop I went to about Information Security Policies gave some very useful advice on actually getting folks to adhere to policies.

The key message from that for me was to try and keep your IS policy brief (two pages) and have policies that apply and can be understood by identified groups of users. So the IS policy applies to everyone and tells them what else they should be aware of, e.g. Information Handling for Finance and HR staff, Sys admin charter for CiCS staff, both for SAP BASIS staff and so on.

Privacy impact assessments for projects sound like a good idea but perhaps not a popular one! However any research involving personal data has to demonstrate it conforms to standards etc... why shouldn't projects? Of course, when I want a new IT service implemented I'll not be happy about any extra consultation and form filling.