Infosec: ICO urges firms to remember data protection basics

Organisations are focusing too heavily on technical security measures and failing to get the basics right when it comes to data protection, according to deputy information commissioner David Smith.

Speaking at the Infosecurity Europe event in London today, Smith argued that, with around 600 breach notifications in the past year and 60 in March, there has not been a serious increase in breaches since notifications began in 2009, showing that the data protection message "is getting through partially".

However, Smith complained that many organisations are still failing on disciplines like data minimisation, making policies and procedures relevant to people's daily jobs, and staff awareness and training.

"A lot of this is basic stuff. My key message is that, of course, the technical side of security is important and there are some big threats from hacking and interception, but so many organisations are still not getting the basics right," he said.

"Organisations do provide data protection security training to their staff, but they often take a tick box approach, for example."

Smith warned that cloud computing and outsourcing, mobile and location-based technology, cost-cutting austerity measures and simple complacency all pose potential data protection risks to organisations.

"Technical factors are important, but organisations should not forget the basics," he said.

"So much of it comes back to humans, but it's not about blaming individuals. The systems and processes in place should stop any human errors. There's still room for improvement. Data protection is about more than security."

Theft and loss of data are still among the biggest causes of a breach, according to the ICO, accounting for nearly half of all incidents.

Just today, the ICO had to force an NHS Trust in Birmingham and the Freehold Community School to sign formal undertakings after incidents, the latter occurring after an unencrypted laptop was stolen from a teacher's car.

Smith singled out local government, the private sector and the NHS as the biggest culprits when it comes to data breaches, although he admitted that the private sector is "less willing to tell us about the breaches they've had".

He warned that there are currently 20 cases under investigation by the ICO which could incur a financial penalty for the organisations involved.

The watchdog has had the powers to fine organisations up to £500,000 since April 2010, although there has been criticism that it has not used these powers frequently enough.

Tell us what you think of the ICO in our latest poll.