Skip to main content

Huge number of data loss incidents are going unreported to the ICO

There have been plenty of statistics pouring forth about the ICO and data loss in the UK, and here's another alarming one concerning the amount of incidents which aren't reported to the Information Commissioner.

According to a Freedom of Information request from ViaSat which was made to 18 UK police forces, businesses reported no less than 67,677 thefts in the year running up to February, and just over 13,000 of these snaffled devices held sensitive corporate data.

Yet only 1,089 data breaches were actually reported to the ICO by businesses – and also bear in mind that there are far more than 18 police forces in the UK, so the true figure of missing devices will be much higher than 13,000.

ViaSat’s chief executive in the UK, Chris McIntosh, told Computerworld UK: “We must remember that 13,000 thefts is the bare minimum: considering that not all police forces could share this information, the real figure is likely to be many times greater. As a result, thousands of individuals’ private data could well be on borrowed time.”

ViaSat also noted that the vast majority of breaches reported to the ICO were made by public sector organisations (healthcare in the main), and that private businesses account for a very small number of reported data loss incidents.

McIntosh added: “It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimised.

“For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence that none of the 13,000-plus stolen devices represent a threat.”

Earlier today, we saw another Freedom of Information request made by Egress directly to the ICO, which showed a 183 per cent rise in reported Data Protection Act breach investigations in the banking industry over the last two years.

The vast majority of these occurred last year, and once new EU data protection rules come into force, the ICO will be able to hit those responsible for breaches with much bigger fines. However, that isn't likely to lead to more businesses coming forward and admitting when they've had an issue with a data spillage.