The Information Commissioner's Office (ICO) has just handed out its first two fines under new powers associated with the 1998 Data Protection Act. The employment services company A4e was fined £60,000 for losing an unencrypted laptop containing personal information, while Hertfordshire county council was fined £100,000 for sending faxes containing highly sensitive data to a wrong number.
Both these fines fell considerably short of the £500,000 maximum under the act, but the fact that the latter (and larger) fine was issued to a public-sector organisation is not to be taken lightly. In times of government cutbacks, the fine is a wake-up call to public bodies.
Public-sector organisations that handle sensitive data – from immigration decisions and medical records to tax records and financial data – need to ensure they have robust policies and processes established for managing, storing and tracking information, and that their staff are trained to use these processes.
This isn't just good business practice; UK citizens have a right to expect that information about them is handled with care and security, and that someone knows where data is kept and why, as well as how to get the data back when it is needed.
Regardless of their size, all public bodies share similar information management challenges. First, the volume of incoming and outgoing information is growing all the time. Second, there are considerable difficulties inherent in the integration of physical information, such as paper documents, with digital records, such as emails. As a consequence, it is becoming increasingly difficult for authorities to keep track of where and how data is being stored, not to mention with whom it is being shared.
Information is particularly vulnerable when it changes hands. Therefore, the difficulties for information and risk managers are heightened when multiple suppliers are used to service the different stages of the information cycle, such as using one supplier for transportation, another for storage and yet a third for destruction. For a general public bombarded with media messages about identity theft and the misuse of personal data, this fractured approach is an area for concern.
There is one leading government department, responsible for managing a vast number of records in multiple formats, that provides us with a model of good data-handling practices. This department has set up a system that combines the security and traceability of digital information with the resilience of paper records. Its information management system allows all records to be viewed on one platform so that, regardless of format, every document is visible, from creation and classification through to compliant destruction. This gives that department an improved chain of custody and greatly reduces the need for co-ordination between services, delivering significant savings in time and cost.
In order to remain compliant with the latest legislation, it is important that public-sector organisations have measures in place to protect their – and our – data. This may not be the most glamorous of fields, but it is sound records management; data entry, cataloguing, tracking, retrieval and indexing systems are the lifeblood of a trusted, effective public-sector organisation.
Even with all this in place, the human factor will always be the weakest link, whether the breach is accidental or the consequence of deliberate action. There have been plenty of examples this year where USB sticks containing confidential information have gone missing or emails have been sent with little regard for the sensitivity of the content. While no data-management system is foolproof, public authorities must take action to reduce these risks as far as possible – and to ensure they can manage the fallout from any crisis that might occur.
Departments should mandate suitable "endpoint" security controls to restrict the transfer of data on all their electronic devices and should demand the same approach of their suppliers. Such a strategy restricts the ability to use USB sticks or, if they are used, allows encryption protocols to be applied. It is an approach that is far more cost-effective than many people think.
No public-sector organisation can afford to fall short of acceptable standards for managing our personal information. The ICO has sent a clear message: get it wrong and you will be held accountable. Minimising the risk of a data breach must now be made a sector-wide priority. The price of failure may well include damage to the reputation of the entire sector, and this could prove far more costly than any fine.
Christian Toon is head of information risk at the information management firm Iron Mountain
