The number of data breaches reported to the Information Commissioner’s Office (ICO) has reached 1,007 as of today.
The breaches, which date back to November 2007, include those that have occurred since the ICO was given the power to award financial penalties for serious data breaches on 6 April. However, the office said that it has yet to exercise this power and confirmed that no organisations have been fined.
Earlier this week, HM Revenue and Customs was forced to apologise to around 50,000 tax claimants after it sent details of tax credit renewal packs to the wrong people.
Although some packs included earnings, bank sort code and last four digits of other claimants’ bank accounts, HMRC said the risks of ID theft were low because only a small amount of details were accidentally revealed. It blamed the situation on an “error” in one of its tax credits print runs.
Since the tally revealed at the Infosecurity Europe conference in London last month, which showed that the NHS was responsible for the highest number of breaches, with 287 over the past few years, the latest count shows that the NHS still tops the table, having increased to 305.
Again the majority of the breaches were as a result of data or hardware being stolen (116) or lost (87). These figures had increased from 113 and 82, respectively.
In the 1,007 breaches, the private sector remained second after the NHS, with a reported 288 breaches, followed by the local government, which had 132.
Examples of common personal data losses include the loss of paper documents, such as in December 2009, when documents containing mental health records relating to 1,970 patients were reportedly lost during transit with an external courier. Loss of unencrypted memory sticks is also frequent, including a memory stick that contained social services information on 40 children being found on a public street in Stoke-on-Trent.
David Smith, deputy commissioner, said: “We all know that mistakes can happen but, the fact is that human error is behind a high proportion of security breaches that have been reported to us.
“Organisations should have clear security and disclosure procedures that staff can understand, properly implement these and ensure that they are being followed by staff. Staff must be adequately trained not just in the value of personal information, but in how to protect it.”
To help organisations comply with data protection regulations, the ICO has produced a ‘Guide to Data Protection’, which includes tips on how to minimise the risks of security breaches occuring.