A significant improvement of data protection in the UK is needed after new research revealed that reported breaches of the Data Protection Act represent only a fraction of the true number of incidents.
Chris McIntosh, CEO of satellite and communications product provider ViaSat UK which conducted the study, told 24N that the measures organisations are taking protect clients’ data are not improving.
The firm carried out a series of Freedom of Information (FOI) requests to learn that 1089 data breaches were reported to the Information Commissioner’s Office (ICO) between March 2014 and March 2015.
However, Police forces across the country reported at least 13,000 thefts of devices that could hold sensitive data from businesses, indicating there could thousands of data protection incidents going unreported.
The Data Protection Act currently does not contain a legal obligation to report breaches, nor does it include specific security requirements, which means it cannot be determined whether the thefts of devices puts the population’s data at risk.
“We must remembers that 13,000 thefts is the bare minimum: considering that not all Police forces could share this information, the real figure is likely to be many times greater,” McIntosh claimed.
“As a results, thousands of individuals’ private data could well be on borrowed time,” he added.
Worryingly, the vast majority of breaches reported to the ICO came from the healthcare sector, which was responsible for 431 in total, followed by local government with 120 breaches – accounting for 51% of reported breaches in total.
Public sector organisations were mostly responsible for the data breaches reported to the Information Commissioner, with a number of incidents reported in the education and law enforcement sectors.
According to ViaSat, the figures suggest that the private sector is greatly under-reporting the number of potential breaches it encounters.
We at 24N decided to question McIntosh on why there seems to be many issues with data protection in the UK.
The ViaSat CEO believes that there a number of factors contributing to the problem, but most importantly, he thinks that the ICO needs to be given greater powers to deal with those risking people’s information and that data legislation needs to be tightened.
“It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are report or that risk is minimised,” claimed McIntosh.
“The ICO’s role is to encourage best practice in data protection. While it is clear that its financial penalties are aimed at this goal, it still needs more legal and financial muscle to drive its goals.
“While compulsory reporting of every single potential breach could be difficult to enforce, inevitably it would give the ICO a clearer view of the problem and allow it to better mandate best practice.
“However, in the meantime compulsory encryption and the power to police it is the absolute minimum that the ICO should be granted,” he added.
To organisations that are responsible for safeguarding personal and sensitive data belong to their customers and clients, McIntosh advises that they only take information they actually need and put appropriate encryption in place.
“Encrypting data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory and enforced with spot checks and suitable punishment, then the public and the ICO could have much greater confidence that none of the 13,000-plus stolen devices represent a threat,” he claimed.
The CEO also had some advice to people who are concerned about the safety of their data with third parties: he recommends directly asking how your information is protected and why they need certain information – if it isn’t absolutely essential, there is no need to hand it over.
Finally, McIntosh’s parting words to people and businesses which take personal, sensitive data from people are: “protect other people’s information as well as you would protect your own.”