Over 1,000 data breaches reported to ICO

The Information Commissioner’s Office (ICO) has reported that over a thousand data protection breaches have now been reported to it, many of which are the result of staff errors.

The privacy watchdog is urging organisations to minimise the risk of mistakes. It says staff need simple procedures on how to handle personal information with appropriate training to ensure the importance of personal information is fully understood.

David Smith, Deputy Commissioner, said:

“We all know that mistakes can happen but, the fact is that human error is behind a high proportion of security breaches that have been reported to us. Extra vigilance is required so that people’s personal information does not end up in the wrong hands.

“Organisations should have clear security and disclosure procedures that staff can understand, properly implement these and ensure that they are being followed by staff. Staff must be adequately trained not just in the value of personal information, but in how to protect it.”

The ICO offers the following tips to organisations:

• Are you sure that you know who you are disclosing personal information to? Have you checked that they are genuine and that they are entitled to the personal details that they are asking for?
• Beware of the dangers of email. Be very careful when selecting recipients of personal information from drop down lists to get the right ones. Do not click on ‘reply to all’ and automatically include all the copy recipients in your disclosure of personal information. For more sensitive information, simple email disclosure may not be sufficiently secure.
• Check that automated systems, e.g. for stuffing envelopes are working properly and do some dip sampling to verify this.
• Beware of window envelopes. Make sure that only the name and address can be seen through the window.
• Check the positioning of screens particularly in open areas or by windows where they might be seen by members of the public.
• Train your staff in the risks of wrong disclosure and make sure that they don’t get careless about who they are passing information on to.

The ICO has produced a Guide to Data Protection to provide businesses and organisations with practical advice about the Data Protection Act.

The Data Protection Act 1998 contains a number of important principles regulating the way in which information relating to individuals is held and used. The Act sets out eight Data Protection principles which employers are obliged to follow. The Act also contains a number of offences that employers may commit if the provisions of the Act are breached, some of which impose personal liability on company directors and other officers.

It is vital that employers familiarise themselves with their obligations under the Act and ensure that the appropriate procedures are put in place to ensure compliance. The newly updated Data Protection Policy and Management Guide v.4.0 has been published to help employers understand and meet those obligations and to provide clear guidance for employees on their responsibilities when handling sensitive personal data.