ICS Data Protection Survey

The findings are, to say the least, shocking.

The first finding that strikes me is that the respondents (286 of them) were from IT functions within organisations. No offence to my brethern in IT but if Information is an Asset why are we asking plumbers about water quality and leaks? But that is a minor concern.

A more significant concern is the fact that organisations just don’t seem to get it. At least not some of them. The fact that the respondents have conflated “Data Protection” with “Data Security” is troubling. For the record: “Safe and Secure” is ONE of EIGHT principles for Data Protection (actually, they’re called principles for Data Quality but that is a topic I cover in a full day tutorial so I won’t bore you here). There are other principles that need to be respected just as much. As a political party discovered recently, if you haven’t obtaine the data fairly (Principle 1) then the fall out from having your systems hacked and data copied is only part of the problem.

Also, respondents seemed to be of the view that compliance with the Data Security Breach Code of Practice was an optional thing. In this context I have to fall back on the words of W.Edwards Deming:

You don’t have to do this. Survival is entirely optional.

For the sake of clarity, the Data Security Breach Code of Practice (which I was a contributor to) is not an optional thing. Adherence to the Code of Practice is just one of the costs associated with processing personal data. If your organisation doesn’t want to pay that price, then stop processing personal data. Balance that against the benefits that acrue from processing personal data (managing customers, employing staff, shipping product) and the “it costs too much” argument frankly evaporates.

What is required is

• You keep an internal register of incidents of data breach (regardless of “triviality”)
• You adhere to the guidelines of when you need to notify the data subject, the Data Protection Commissioner, or the police.
• You have a clear plan of action for dealing with the inevitable incident that data goes walkabout.

One commenter on the survey reported that they were concerned that there would be reporting of “trivial” breaches. One record lost may not look like much, but bear in mind that that is data relating to a person who has rights and who can sue you for a breach of a duty of care (should they suffer more than just emotional loss). Also, from my experience in Regulatory Compliance functions dealing with billing information, it is often the “trivial” that gives the clue to the “mind bogglingly significant”.

In a meeting with a client today one of the people in the room drew the very appropriate parallel with “near misses” in a Clinical care environment – every “near miss”, no matter how trivial, is seen in healthcare as an opportunity to avoid killing someone the next time. In Data Protection it is, and should be, no different – after all it is a QUALITY SYSTEM (with privacy being the expectation). Every avenue by which one record of data can leave is a window through which your entire customer database might be stolen – and would you know?

Recruit Ireland’s recent data breach was identified because spam emails came into a handful of test accounts and to a handful of clients. The GAA apparently didn’t even know they’d had a breach until they were contacted by the authorities.

Tom Redman (one of my mentors and friends) has written about what he calls the Unique and special properties of data as an asset. One of those is that it can be stolen from you without you noticing and it can multiply (in terms of volume- metadata, and in terms of cloning- copies being taken). The Data Security Breach code of practice is one mechanism by which organisations can get a handle on how data is multiplying and spreading within their organisations and where the risks come from regarding the security and control over that data.

For organisations who think this is “not that big a problem” or for whom the cost/benefit ratio doesn’t stack up, I would suggest looking across the Irish Sea to the UK where they have introduced new penalties for breaches of the Data Protection Act there. Currently, the penalties in the UK for breaches of the Data Protection Act 1998 can be up to £500k per offence.

For example, the London Boroughs of Ealing and Hounslow were recently fined a total of £150,000 for a single incident of a data breach affecting 1700 people.

That’s almost £10,000 per record.

With a new EU directive in the pipline, one of the goals of which is to standardise penalties for Data Protection breaches across the EU27 it is only a matter of time before we see similar penalties being levied here in Ireland.

Of course, the question then arises about the disincentive to report breaches if there are penalties involved. The thing is that there is already a well established precedent for admitting mistakes and rectifying the situation in the way in which the Revenue Commissioners deal with “Voluntary Disclosure” of tax non-compliance. If you do a “Voluntary Disclosure” then there is wriggle room for Revenue on the penalties that will be applied. The counter weight to self-incrimination is the assured knowledge that the penalty you will face will be no more than what you would have had to pay had you been in compliance the first place.

My personal view is that, given that the DPC’s “risk based auditing” model seems to parallel the model applied in Revenue, it is likely that a similar model will emerge in the DPC. As it stands, organisation who cooperate with investigations and make efforts to become compliant have less to fear from the DPC than those who ignore, evade, or otherwise seek to avoid their duties under the legislation.