The biggest security risks for organisations that process people's personal details are burglary and theft, according to figures just published by the Information Commissioner's Office (ICO).
In November 2007, 25 million child benefit records were lost in transit, provoking widespread media coverage for data breaches. Since then, 711 organisations have reported security breaches to the ICO, including 200 private sector firms and 209 NHS bodies, according to the UK regulator.
Of the total breaches reported, 231 involved theft. The ICO reported that it has taken action against 54 organisations for the most reckless breaches. Several organisations have signed formal undertakings to improve security.
Speaking at the annual conference of the National Association of Data Protection Officers today, Deputy Information Commissioner David Smith said: "Some of these breaches would trigger a significant fine for organisations were they to occur after the introduction of monetary penalties in 2010."
"We are keen to encourage organisations to achieve better data protection compliance and we expect that the prospect of a significant fine for reckless or deliberate data breaches will focus minds at Board level,” he said.
The ICO has limited powers. It can serve organisations with Enforcement Notices and get chief executives to sign formal Undertakings pledging future security improvements. To breach an Enforcement Notice is a criminal offence, but the maximum fine at present is £5,000.
New powers scheduled to come into force in 2010 will enable the ICO to impose substantial monetary penalties on organisations where there is evidence of a reckless or deliberate data protection breach. The Ministry of Justice published a consultation this week that proposes a maximum penalty of £500,000.
“The majority of organisations get data protection right, but regrettably a significant minority of management teams are failing to take data protection seriously enough," said Smith. "Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media.”
The ICO said in a statement today that it is also increasing its auditing role to ensure greater compliance with the Data Protection Act and new powers contained in the Coroners and Justice Bill would give the ICO formal inspection powers across government.
The Department of Business, Innovation and Skills (BIS) published a review (43-page PDF) of the ICO's activities last week. It concluded that the "relationship between the ICO and the Ministry of Justice (MOJ) appears to be less effective than it could be."
BIS also said that the ICO's audit and inspection function lacks documented or systematic processes. It added: "In addition to the imminent new power to impose financial sanctions, the ICO could give greater consideration to making use of other elements of the expanded range of sanctioning options that will be available under the Regulatory Enforcement and Sanctions Act 2008."
The ICO expects to gain the power to fine in early 2010.