The Information Commissioner, Richard Thomas, has expressed concern about the rising levels of data breaches, and has urged action to counter the current rising trend of cases reported to the Information Commissioner's Office (ICO). In light of a soaring number of data breaches reported, along with a series of high profile cases involving government departments, the Commissioner has called upon chief executives to ensure that the amount of data held by organisations is reduced, and that proper governance arrangements are put in place. He has said that the correct use of privacy data comes from the policies and procedures, as well as the correct use of technology, designated from the very top levels of organisations. Meanwhile, the Prime Minister has admitted that data losses may be inevitable "because mistakes are made by human beings".
The ICO reports that since the high profile case of HMRC losing 25 million child benefit records nearly a year ago, there have been 277 data breaches reported, including 80 by the private sector, 75 within the NHS and health bodies, 28 by central government, 26 by local authorities, and 47 by the rest of the public sector. The Commissioner has stressed the real-life outcomes of data loss. It can result not only in problems such as credit card forgery, mortgage fraud or falsified Land Registry records, but can also lead to vulnerable people's lives being put in danger, as 'addresses of service personnel, police and prison officers and battered women have also been exposed' says the ICO.
While the Commissioner acknowledges that the increase in reports can partly be attributed to improved checking and auditing, he also says that there may yet be more undetected cases which would push the total even higher.
A key concern of the Commissioner is the centralisation of personal data. He suggests that as more and more data is collected by single bodies, there is an increased risk of multiple records going missing. In an attempt to address how data privacy has a direct effect on organisations and companies themselves, the Commissioner stated that "the more you lose the trust and confidence of customers and the public, the more your prosperity and standing will suffer". Bad publicity has dogged the government recently in terms of data loss, and this has been used by the opposition as a sign of government incompetence.
The Commissioner has also addressed the hard side of regulation, in the form of sanctions and penalties. He has set out his desire to pursue vigorously the use of enhanced financial penalties to act as a deterrent to breaches, coupled with the ICO being given more inspection and audit powers. Furthermore, the ICO has proposed raising the data protection notification fee for the largest organisations.
The Commissioner, however, rejected calls for a statutory duty to be placed on organisations to notify people of data breaches, as different situations carry different levels of risk, and need different responses.
It is yet to be seen whether the Commissioner's warnings will be heeded. However, it is curious to note that just at the time when the Prime Minister has declared that data breaches are inevitable due to human error, the ICO has warned that accountability for data breaches 'rests at the top'. It is not clear how high up the Commissioner intended this to mean.