Sunday, 13 November 2011

Breach notification: What have we done to deserve this?

Each time I open the data protection press I read about yet another data breach. In fact there seem to be so many right now that it’s hard to care too greatly about many of them. Should we worry about the sad incident involving Rochdale Metropolitan Borough Council whose employee. Last May, lost an unencrypted memory stick containing the details of over 18,000 residents. The data included, in some cases, residents’ names and addresses, along with details of payments to and by the council. But the device did not include any bank account details. Six months later, the ICO issued a press release about the affair.

Or should we worry about Newcastle Youth Offending Team, which managed to have an unencrypted laptop contained personal data relating to 100 young people stolen from a contractor’s home in the Northumbria area last January. Ten months later, the ICO issued a press release about the affair.

Or perhaps we should worry about University Hospitals Coventry & Warwickshire NHS Trust, who lost records relating to the treatment of 18 patients in February and then some more patients last May. And the ICO’s press release was issued at the end of October.

Should we worry about the breaches themselves or the time it has taken the Information Commissioner's Office to publicise the breaches? Or indeed should we worry that the vast majority of the stuff we read about relates to the public sector, rather than the private sector?

I have to say that there may be a bit of special pleading here, as of course Communication Service Providers have been required to report breaches to the ICO for several months now, so perhaps it won’t be too long before their transgressions are more generally known, too.

Should I worry myself? Well, given the fact that the breaches which the communication service providers have to report include those where no-one has been harmed, where the loss has related to encrypted information, where the breach of even a single record is sufficient to warrant a notification, and the breach can involve the accidental alteration of information, as well as the loss of information, I would expect the Commissioner’s staff to have a healthy stream of notifications through which to wade. And these notifications have to be made “without undue delay”. We are talking of weeks here, not months. So, on current form, the initial wave of ICO Press Releases could be getting drafted sometime soon. With luck, they might simply say that the Service Providers are meeting the obligations that have been imposed on them by SI 2011 No 1208. With more luck, they might say that a number of the incidents that have been notified to them were probably not intended to have been notified to them by those who drafted the initial legislation, so it hopes to hold a workshop in the new year to consider, in the light of the experience of actually operating the current mandatory personal data breach notification scheme, what it actually means and what purposes are being served.

After all, if there is confusion now about what is required and who is expected to do what and when, how will the ICO manage when the mandatory breach notification process is extended to cover, say, all 300,000 UK data controllers?

What has the delay, though, in the breach notification and the decision by the ICO to publicise the breach achieved? Presumably it’s given the offending party an opportunity to get its house in order, to understand the cause of the breach and an opportunity to raise a project to address the cause of the breach. So hopefully thay type of breach won’t happen again. At least to that data controller, anyway.

But can this actually be the case? Many of the incidents I see arise not as a result of technical failures (although of course systems will always encounter the odd weakness every now and again) but because individuals have not exercised the personal behaviours that you might wish of them.

So the incident involving Rochdale Metropolitan Borough was obviously avoidable, as it involved the loss of an unencrypted memory stick. Likewise, the incident involving Newcastle Youth Offending Team, and the unencrypted laptop. But are we really going to be able to avoid incidents involving the inappropriate disposal of paper records (even if they relate to confidential medical information)? Such matters won’t be resolved by new IT security policies, or central controls. No, they relate to human behaviours – like which bin to dispose confidential waste in - and we’re all human, after all.

And if the medical profession can’t quite master the disposal of paper copies of confidential personal files, then I dread to think what will happen when the rest of us are invited to realise just what employees of other data controllers have been up to!