Carelessness tops data breaches league
Hacking and high profile data thefts may hit the headlines, but the leading reason for the most data breaches investigated by the Information Commissioner’s Office (ICO) was carelessness.
Figures released on 9 August show that during the first quarter of this year, more than half of the 335 data breach incidents – 175 in total – that the ICO looked into were due to personal data being disclosed in error, ranging from emails being sent to the wrong address to information being erroneously included in freedom of information responses. Lost or stolen paperwork (42 cases) and lost or stolen hardware (29 cases) were the next most frequent types of incident.
Such data breaches can have serious consequences for the businesses or organisations involved. On 5 August, the ICO served the Bank of Scotland with £75,000 penalty after sensitive customer data – including bank statements, account details, mortgage applications and customers’ names, addresses and contact details – were repeatedly faxed to the wrong recipients over a four-year period.
Depending on the seriousness of the breach, the ICO can also issue offending with enforcement notices or work with them to sign undertakings.
Meanwhile, the ICO has issued new guidance for businesses and other organisations to help them deal with requests from individuals for their personal data, known as subject access requests, under the Data Protection Act.
The new guidance, published on 8 August, has been issued after the ICO handled over 6,000 complaints related to subject access requests in the last financial year.
Information Commissioner Christopher Graham said: “The ICO’s complaints figures show that many organisations still need to improve their processes for dealing with these requests.
“Our new subject access code of practice will help organisations deal with these types of requests in a timely and efficient manner, allowing them to demonstrate that they are looking after their customers’ data and being open and transparent about the information they collect.”
The guidance can be accessed at: www.ico.org.uk/for_organisations/data_protection/subject_access_requests