Privacy tsar: 277 data breaches since November

Privacy tsar: 277 data breaches since November

Summary: Information commissioner Richard Thomas says the government and private sector must realise that more databases mean more data breaches

SHARE:
TOPICS: Security
1

The information commissioner has criticised the mishandling of personal data by the private and public sectors, in the light of hundreds of data breaches reported to his office over the past year.

In a speech to the RSA Conference Europe 2008 on Wednesday, Richard Thomas said that 277 data breaches had been reported since last November. Thirty serious incidents, in both the public and private sectors, are still under investigation.

"I can reveal today that the number of data breaches reported to my office has soared to 277 since November 2007," said Thomas. "There have been 28 breaches by central government; 75 within the NHS and other health bodies; with 80 reported in the private sector. We are currently investigating 30 of the most serious cases."

Thomas said that, in the past year, his office has taken enforcement action regarding data losses against HM Revenue & Customs, the Ministry of Defence, the Department of Health, the Foreign and Commonwealth Office, Virgin Media, Skipton Financial Services, Carphone Warehouse, TalkTalk and Orange.

Thomas urged industry and government leaders to avoid being "asleep at the helm" when it comes to safeguarding information. Both the public and private sectors must be aware of the risks of abuse of massive databases of personal data, said Thomas.

"It is time for the penny to drop," said Thomas. "The more databases that are set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made. The more you lose the trust and confidence of customers and the public, the more your prosperity and standing will suffer."

Thomas said that organisations must adhere to the principles of data minimisation, retaining as little data as possible, to avoid damage to their reputation through data loss.

On Wednesday, the Home Office defended its proposed National Identity Register, the huge, centralised database behind the ID cards scheme.

The government department has also proposed a centralised database containing the details of communications made by every UK citizen, including telephone caller and receiver, email sender and recipient, and web-browsing habits. The Home Office said that such far-reaching databases were necessary due to the evolution of technology.

"The communications revolution has been rapid in this country and, because of changes in technology, the way in which we collect communications data needs to change too. If it does not, we will lose this vital capability that we currently have and that we all take for granted in fighting and solving crime," said a Home Office spokesperson. "Of course, there is a balance between privacy and our liberty, which is why we have said we will be consulting on this and seeking a political consensus."

Regarding the proposed communications database, the Home Office added that "no decisions have been taken" and that it will be "consulting in the new year".

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • How to Address these Data Breaches......................

    A solution is required to centrally manage, monitor and control precisely which removable storage devices and applications are permitted to run on government networks. A system that minimises user access rights to data, applications and removable media by operating a whitelist of known, trusted and permitted applications and devices. By default, end users should have no access to removable media and where this is permitted, via centralised control of the user privileges, encryption can be enforced on the data or the device. This
    lumension