Breaches of the Data Protection Act reported to the Information Commissioner’s Office are only a tiny fraction of the true number of such incidents happening across the UK, according to a series of Freedom of Information requests from security and communications specialist ViaSat UK. While 1,089 breaches were reported to the ICO between March 2014 and March 2015 (1), police forces across the UK reported at least 13,000 thefts (2) of devices that could hold sensitive data from businesses; meaning there are thousands of potential incidents going unreported. Since the current Data Protection Act contains no legal obligation to report breaches and has no specific security requirements included, there is no way of knowing whether any of these thefts put the population’s sensitive data at risk.
“We must remember that 13,000 thefts is the bare minimum: considering that not all police forces could share this information, the real figure is likely to be many times greater. As a result, thousands of individuals’ private data could well be on borrowed time,” said Chris McIntosh, CEO, ViaSat UK. “It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimised. For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence that none of the 13,000-plus stolen devices represent a threat.”
The vast majority of breaches reported to the ICO came from the healthcare sector, which was responsible for 431 in total; the next highest was local government, with 129. Indeed, between them these two sectors, which mostly represent public sector organisations, accounted for 51% of all reported breaches (3) and the greatest number of undertakings enforced by the ICO (4). With other mainly public sector organisations, such as education and law enforcement, accounting for a significant number of reported breaches, the statistics suggest that the private sector is still greatly under-reporting the number of potential breaches it encounters.
Chris McIntosh continued: “The ICO’s role is to encourage best practice in data protection. While it is clear that its financial penalties are aimed at this goal, it still needs more legal and financial muscle to drive its goals. While compulsory reporting of every single potential breach could be difficult to enforce, inevitably it would give the ICO a clearer view of the problem and allow it to better mandate best practice. However, in the meantime compulsory encryption, and the power to police it, is the absolute minimum that the ICO should be granted.”