Information Commissioner Richard Thomas is again telling UK companies to sort out their data protection systems as the number of reported losses of private information keeps on growing. Since Her Majesty's Revenue and Customs lost a copy of the entire child benefit database six months ago the regulator has been told about almost …
No teeth in this lion...
Such data breaches will stop happening when those responsible are held legally and financially accountable, not before. Right now, there simply is no incentive to stop. Whats the worst that could happen - will the offending party get a sternly worded letter? Please.
the information comissioner sent details of the lost data to each company on unencrypted CD's (no passwords required) via a courier, the firms say they are still waiting for the disks to arrive.........
Perhaps I'm being pedantic, but surely the number of losses can't go down (unless reported "losses" turn out not to be lost)? Is it, in fact, the rate of reported losses which is increasing?
Medicare have recently lost or had a stolen a tape containing personal data including bank details of some of its customers.
It's apparently on a secure tape that needs specialist software and cannot be easily accessed on a home PC. Because tape drives and backup software are so hard to come by, and if it was stolen, it would of course have been nicked by someone who had no idea what they were doing.
When asked if the data was encrypted, the customer service droid refused to answer, saying it would breach their security policy to do so.
This'll be why...
the ICO's not interested in the Phorm Phiasco.
They're up to their arses in alligators as it is.
The one with the self-encrypting pockets.
They're as impotent as the UK general populace.
Ghandi said "We must become the change we want to see in the world." He spread his message through peacful protest.
This is the United States of England. Peacful protest is laughed at by Government and Corporation alike. If we want to see change, we should probably begin with mass refusal to pay various taxes.
The money pool is always the weak spot.
Being a person who has no bank account, or debt, or claiming unemployment benefit, or income support for a child, and that pretty much 90% of my on-line persona's are, while not entirely fake, contain very little information about who I am (I'm freelance - I just don't see that working for money is the be all and end all - I do just fine thanks :) all this data loss by companies and government is passing me by - I am sure that what little is out there out me can be circulated, but seeing as the thief would have to know who I was in the first place in order for them to impersonate - it makes the data that they steal of very poor value.
Of course, this does not apply to all you out there, who's trust is being systematically abused by pretty much everyone. To be honest, I stopped trusting banks ever since the Bank of Scotland told me that they never checked the signatures on cheques of under £500.00 and refused to refund me the money they had charged me for bouncing a cheque I didn't write. And I'm afraid that trusting the government has never been an option.
A paper tiger throwing rocks at the moon, and looking for a spine.
"The ICO is still investigating the losses, but in 16 cases has told organisations to change procedures."
Or else what ? The punishment for (say) a RIPA offence (if you can get anyone to care) is up to five years at Brenda's motel. The punishment for a massive DPA breach is that Richard Thomas comes round to your place and looks at you sort of sternly.
It has been the current Commissioner's frequent refrain that he would dearly like to be taken more seriously, fine, you want people to take you seriously, try a few prosecutions.
I mean I feel for him, really I do, stashed away from the action in some nasty Cheshire backwater*, shoehorned into a tiny office space between McDonalds and an office supplies shop (if memory serves)**. And OK, OK, only a couple of hundred staff for the entire UK, meaning that all of them must have massive case-loads (and very small desks)
But jeez-louise, if you let people walk all over the DPA with big muddy boots on and then do fuck all about it other than suggest that they might like to change their procedures, guess what ? That case load is just going to keep on growing.
He has it in his power to initiate prosecutions, and until he gets his finger out of his arse and starts dishing some out, government and industry will continue to smile charmingly at him, then give him the finger once his back is turned and get back to business as bloody usual.
Richard Thomas, you are an idiot, and some days it just seems like you haven't even read the legislation you are responsible for enforcing.
* Wilmslow, it's sort of like Royston Vasey, only with more expensive shops and less to laugh at.
** No one appears to know why this is so. Some have speculated it;s to do with a big pharma corp (Astra Zenneca) office just over the road, but who really knows ?
Re: Ah Well
You have no driving licence, you have never registered on the NHS, you don't have a National Insurance number? Nobody in this country is invisible to these databases. Get used to it and join those of us who want the system mended,
Why even bother reporting this?
NOTHING will change.
No one will be prosecuted.
No one will be held accountable.
No fines will be paid - indeed, if the government pays a fine it will do so from our tax money.
None of the sheeple will even care.
None of the other major news outlets even bother to carry this "news", happily towing the party line
The Information Commissioner will continue to bleat about it, but doesn't have the power to do diddly else
No one (govt or corp) will change their policies or procedures...
It simply drives us poor el-reg readers mad to keep having the above facts (and others that have been posted in the past) hammered in again and again.
Things will happen when...
Here is my solution. If a company gets a fine or an enforcement notice from the ICO/FSA or anybody else vote with you feet.
Don't shop/bank there,
Tell all your friends/family/neighbors to do the same and make it public. Start websites encouraging people to do the same.
Only when it hits them in the pocket, will companies directors start to take customer data protection seriously.
Customer Data protection should be Business as Usual !
@ John Arthur
Well, I do have a driving licence, the name and address and other information is wrong, and I have not needed it in 15 years so it has not been an issue. Somebody decided to give me two NI numbers - and another refused to believe that they have made a mistake or that there was a mistake, in different names (same forenames, but one in each of my parents surnames), made my first passport application a nightmare, and my second one an almost disaster. Applying for dole is an invitation for fraud investigation as a matter of course - so I have not bothered doing that, as has been applying for loans and even Bank accounts (however, those that I had when I was a child, I could still use - until I closed them down. As for an NHS Number - they've lost my records up to 1995 - and I was issued with another (see above) only to have that taken away, then re-issued, with loss of records again.
So, I have zero faith in these people to actually do anything. I gave up trying to convince them otherwise. Especially after I had to sign the official secrets act on two separate occasions, in both of the NI Names - the mind truly does boggle. I even asked the DCI I was working with at one time about it - he laughed. Sort of the reason for me wanting to get out of this country - It's a joke in very poor taste.
And yes, I would like the system mended - but for that you actually need a system, rather than a collection of badly thought out, incomplete, disparate bureaucratic make do's that have been cobbled together and patched over in place of an actual working system.
The ICO wailing over something they really can't do anything about rather than getting their mitts dirty dealing with something they can; i.e. Phorm
ICO not toothless
I have a letter in front of me from Ken MacDonald, Assistant Commissioner, Scotland of the ICO threatening criminal sanctions against Scottish Community Councils.
There are 1200 of these organizations run entirely by volunteers. Many have annual budgets of just £250 for stationery and the like.
The councils generally discuss local community matters - particularly planning matters, public transport and policing - representing the community interest to the local council and other bodies.
The ICO noticed recently that these councils, which are statutory bodies, were not registered with his office. As this process involves payment of £35 and the filling in of many page forms each year, its perhaps not surprising that volunteers were not storming his door down with application forms.
Also when it's understood that Community Councils do not in general process personal information. When personal information is processed it is generally no more than the names and possibly email addresses of members of the councils. Information that is generally publicly available anyway.
Community Councils generally do not even have computer equipment - any communication is done via members computers and phones.
This process was apparently triggered when a community council published a local child's name in minutes. The fact that the ICO stood to gain £42,000 in annual fees was of course not a factor.
The fact that Community Council registration under the DP Act would mean those CCs or a representative of those CCs had signed up to "the Data Protection principles" and thereby promised not to be naughty again will, as far as I can tell, make no difference to the likelihood of an incident similar to the "Orkneys incident" happening again.
So when it comes to attacking local groups made up of volunteers giving their time in an effort to benefit their local community, the ICO has plenty of teeth.
"In three cases the information was recovered"
Does it matter if the information was recovered? Presumably it was never actually lost, just a copy of it went astray.
Saying it was 'recovered' would make most people think that the problem had been rectified, whereas in fact (a) the information was never 'lost' and (b) recovery does not mean the information has not been copied and retained by someone with larcenous intent.
I am puzzled; do these people not understand didigtal information systems at all or are they deliberately intending to deceive?
Or both, of course.
Bah. Tell me every other country gets this wrong too, please?
RE: ICO not toothless
If they do not process personal information then they are exempt and do not have to register as Data Processors. Read the guidelines and then if all 1200 are exempt you can write one letter back explaining that fact and will not have to pay any money.
They listern and learn
the problem is that govenment agencies dont learn from past experience and they carry on making the same mistake over and over again. I call it the "five second memory" senario. No doubt this will happen again.