23/11/2011
A report published today has again highlighted the regularity with which the Data Protection Act 1998 (DPA) is being breached by public sector organisations. A report by Big Brother Watch details that between 2008 and 2011, 132 local authorities in the UK lost data in over 1000 separate incidents.
The report lists "indicative" breaches of the DPA and includes the loss of laptops and USB sticks and errors where data had been faxed, emailed or posted to the incorrect recipient.
The DPA was amended last year to provide the Information Commissioner's Office (ICO) with increased enforcement powers. The ICO now has the ability to fine an organisation, up to £500,000, for a breach of the DPA and it is clear that the ICO intends to use this new power as significant fines have already been levied. The ICO has also expressed a wish for further powers to allow them to compulsorily audit organisations to determine their level of data protection compliance. At present, an audit of a local authority can only take place with consent.
Coupled with these new powers and the desire to improve data security, the ICO has indicated that the public sector must "get it right" in terms of the systems in place to ensure that data is kept securely and is not misused or lost. With this in mind, local authorities must ensure that their data protection systems are robust and that lessons are learned from other public sector data losses.
Authorities should take this opportunity to review all ways in which personal data is stored and processed to ensure that there are appropriate technical and organisational measures in place to guarantee its security. The ICO has indicated that encryption of any portable and mobile devices is a reasonable step that they would expect public sector bodies to take: "encryption is a basic procedure and an inexpensive way to ensure that information is kept secure. But, to their detriment, not enough data handlers are making use of it".
With data losses becoming increasingly newsworthy and public sector bodies firmly within the sights of the ICO's new enforcement powers, all authorities will need to prioritise their data protection compliance if enforcement action and potentially heavy fines are to be avoided.
Bevan Brittan has dedicated lawyers who are able to advise all public sector organisations on managing and avoiding breaches of data security and on the DPA more generally. If you would like more information or would like to discuss anything raised in this update, please contact James Cassidy at james.cassidy@bevanbrittan.com