ICT for Recovery

Information Commissioner: Security still a challenge for public sector

Posted by Gary Flood on Tue, 23/02/2010 - 16:57
Printer friendly
ICO.png

Ongoing poor awareness of the criticality of information security, and fuzziness around legal and compliance obligations is still issue number one, ICO deputy information commissioner David Smith told the Human Factors in Information Security Conference in London.

"In many cases, there is still a long way to go on security awareness and understanding obligations, especially in terms of the DPA (Data Protection Act)," he told delegates who included public and private sector CIOs and Chief Security Officers. "A lack of communication and training around security has come up time after a time when there have been data breaches.”

Organisations often address security awareness only in a once-off training session as opposed to attempting to embed it into everyday business practice, he went on to warn.
 
Failure to put existing security policies into effect is another disappointment added the ICO representative, underlining the fact staff attitudes remains one of the biggest challenges to getting information security to an acceptable level of cover. Another common thread running through most data breaches past and present is the low value still attached to the importance of personal data – a gap the ICO says is mainly due to a lack of adequate management structures.
 
Improving governance and accountability is thus still "absolutely key" for many public and private organisations, said Smith, who predicts imminent changes in the law and penalties for poor data protection may finally change the public sector's approach. As of April, the ICO has power to impose fines up to £500,000 and conduct spot audits while a possible data breach notification law in the UK is definitely on the table.
 
"Within 18 months data breach notification will be required by law in the telecoms sector in line with EU directives - and I can see this being extended across all sectors within three years," he warned the audience. Custodial sentences for individuals found guilty of deliberately selling information or gathering information under false pretences are also a possibility, says the ICO, but we are unlikely to see any new legislation going so far before the General Election.