There have always been losses of data, it used to be personal data discovered in black bin liners on refuse tips, but now the scale has changed with the use of data sticks, laptops etc. Recent high profile data breaches have led to tightening up on data security in the public sector, but there is still a lot that can be done.
The Information Commissioners Office powers have increased recently, and they can take enforcement actions and audit government organisations. Under their voluntary breach notification they receive about 30 to 40 notifications a month with the public sector predominating and the NHS top of the list. This doesn't necessarily mean more breaches, just might be more willing to report under a voluntary system.
Some key points:
- Theft and loss of portable media is highly significant, but it was interesting to note that the ICO doesn't consider the loss of a properly encrypted form of media a data beach.
- Retention and lack of weeding of data continues to be a problem, and we should work to minimize the amount of data stored where possible on the grounds that if you don't have it you can't lose it.
- Many problems arise from a lack of proper risk assessment and a one size fits all approach with organisations treating all personal data in the same way.
- The DP Act says appropriate security must be in place, not absolute security. More support for a risk based approach.
- All systems/services should utilise Privacy by Design, ie design in privacy from beginning, don't try and fit it afterwards.
- It's all about building public confidence. Take Google Sreet View, it turns out that they hardly collected any personal information, but they took a reputation hit because of perceptions.
- If you have rules that are too strict, people will get round them. For example, some firms banned memory sticks, so users just emailed data to their personal email accounts.
- As mobility and access to networked information increases, try to avoid anything being downloaded to devices.
After the talk I had an interesting chat with him about the implications of outsourcing things like email, and the simple answer to my question about whether safe harbour was adequate for data held outside the EU in the US was "yes".