A third of data security breaches down to burglary and theft

New figures from the Information Commissioner's Office (ICO) reveal that burglaries and theft are the single biggest security risks for organisations processing people's personal details. 711 organisations across the public, private and third sectors have reported security breaches to the ICO since 25 million child benefit records went missing two years ago this month; 231 of these involved theft.

Several organisations have signed formal Undertakings to step up security at premises to ensure that people's personal details are adequately protected. Over 200 private sector firms have reported breaches to the ICO and 209 NHS bodies, which tend to hold some of the most sensitive personal data such as health records, have identified breaches.

Speaking to data protection chiefs today, David Smith, Deputy Information Commissioner, will say: 'Since November 2007 we have taken action against 54 organisations for the most reckless breaches in line with our commitment to proportionate regulation. Some of these breaches would trigger a significant fine for organisations were they to occur after the introduction of monetary penalties in 2010.

We are keen to encourage organisations to achieve better data protection compliance and we expect that the prospect of a significant fine for reckless or deliberate data breaches will focus minds at Board level.'

The ICO has used the strongest powers currently available, serving organisations with Enforcement Notices and getting chief executives to sign formal Undertakings pledging future security improvements. New powers scheduled to come into force in 2010 will enable the ICO to impose substantial monetary penalties on organisations where there is evidence of a reckless or deliberate data protection breach. The Ministry of Justice is currently deciding the amounts that can be levied. The ICO is also increasing its auditing role to ensure greater compliance with the Data Protection Act and new powers contained in the Coroners and Justice Bill would give the ICO formal inspection powers across government.

David Smith will continue: 'The majority of organisations get data protection right, but regrettably a significant minority of management teams are failing to take data protection seriously enough. Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media.'

Mick Gorrill, the Assistant Commissioner with responsibility for investigations, said: 'People's data has a value. If you had £10,000 you are unlikely to leave it in the boot of your car; you would put it in a safe or deposit it with a bank. In the same way, people's national insurance numbers, health records and bank details are valuable assets and organisations must take adequate steps to protect personal data. We have investigated organisations, including several NHS bodies, that have failed to adequately secure their premises and hardware, which has left people's personal details at risk. I encourage organisations, especially NHS bodies, to ensure that the level of security at premises is commensurate with the type of data they are holding. Many breaches are avoidable and are often the result of poor management processes.'

The action that the ICO has taken is listed here:

Tips on data security are ps.aspx target= '_blank'>here: