Lord McNally, the UK’s justice minister, is seeking confirmation that the changes that are set to be made to the data protection legislation forged by the European Union are progressive and effective.
The purpose of this investigation is to help formulate arguments that can be put by representatives in the UK during the reassessment of the Data Protection Directive created by the EU three months ago.
At present, there are fears that the language used in the UK’s Data Protection Act can be confused, particularly in relation to the terms which describe the various parties involved in a particular data relationship.
The term “personal data” requires further clarification in some opinions and many are uncertain that data from the UK that is passed on to international locations is being treated with sufficient care and security.
There was recent controversy when the EU renewed its agreement to pass financial data onto the US government as part of its Terrorist Finance Tracking Program. This was a measure which looked to have initial opposition, with even the European Data Protection Supervisor questioning its necessity, although the move eventually secured the backing of the UK government, which could dictate its role in the current reform to EU data protection law.
A deadline of October 6th has been set by Lord McNally in order to gather all of the advice and expert opinion on the subject and this will run concurrently with an investigation into how well the Data Protection Act is currently serving the British public and protecting the private data of individuals.
Lord McNally spoke about the uneasy relationship between convenience and privacy that exists in the digital age, with many businesses taking advantage of enhanced tools that streamline operation whilst making it easier for data to be used inappropriately. He believes that, properly legislated and balanced, there is a lot to gain.
Data protection formed by the EU some 20 years ago is still being relied upon and, as such, it is seen as utterly outdated in the modern world.
The private data of millions of people in the UK is inadequately protected and the government needs to do more in order to ensure that its integrity is not compromised, according to a new report from the European Commission (EC).
The EC has said that the Information Commissioner’s Office (ICO) still lacks the powers that are necessary to tackle the serious issues surrounding data protection and security and it has called on the government to instigate the necessary legislative changes to ensure that this is rectified.
The EC has given the government a two month grace period in which it must ensure that there is full compliance with European law on data protection.
There needs to be greater transparency in the operation of bodies such as the ICO, according to the EC’s Justice Commissioner Viviane Reding. He wants data protection laws enforced in the UK with no ambiguity whatsoever in order to ensure that the universal right to data privacy is upheld in both the public and private sectors.
Mr Reding described the ICO as a guard dog that is kept locked in a cellar, effectively rendering it impotent and thus of little or no consequence to those who would fail to protect data.
The EC said that it would like to change the UK rules which deny people the right to the amendment or deletion of personal information and it would also require that any random checks made by the ICO could be used to hand out penalties for non-compliance with data protection legislation.
The ICO said that it was looking forward to working with the EC in order to appropriately address its concerns with the state of data protection in the UK.
If the UK government fails to satisfy the EC, the next stage could see it being brought before the Court of Justice, whereafter further steps might be taken.
The ICO has been seeking new powers after a series of high profile data loss cases damaged public confidence in current security practices. However, a lack of political backing has compromised its efforts it in the eyes of some observers, with even recent changes to its abilities to impose penalties being seen as somewhat token.
A study of businesses and organisations based in the UK and Europe has found that many could be placing an unwarranted degree of confidence in their current business continuity plans.
Market analyst Marsh produced its annual report into the attitudes and opinions surrounding business continuity management (BCM). The report is based upon input from 225 respondents from within the business world.
The main discrepancy noted in the report is between the 83 per cent of those questioned who said BCM was central to mitigating and managing risks against the 30 per cent who said that their ability to intelligently tackle issues and make firm decisions following disasters had been improved as a result of BCM.
Although this might be seen as troubling, the overall message delivered in the report is that BCM is now higher on the agenda for most businesses in the EU. Marsh concluded that the heightened awareness did not correlate with the extent and scope of the planning in many businesses. This leaves firms exposed with inadequate contingency plans. In many cases, improved BCM has been achieved only after a disaster had provided an all-too-practical demonstration as to the failings of a previous plan.
Marsh said that although businesses appreciate the need for some kind of plan to ensure business continuity, it can be difficult to explain just how significant such measures can be to those who have so far remained unaffected by their absence.
Marsh’s Hugh Morris said that many of the larger businesses involved in the survey were unrealistic as to the threats facing them and the recent travel disruption caused by the volcanic ash cloud proved that focusing solely on physical impact to supply chains was not enough to appreciate the wider risk.
Business continuity experts believe that the best way in which to prepare businesses for disruption with adequate BCM is in educating the senior management team. The importance of so doing is in direct correlation with the complexity of a given business.
Reports suggest that the EU could soon force businesses across the continent to publicly report when an incident involving data loss or a system security breach occurs.
The Information Commissioner’s Office (ICO) would have the power to demand information about serious compromises to data stored by businesses and organisations if a new EU directive governing data protection comes into force.
Telecommunications firms and broadband providers are already set to be subject to similar rules which ensure that data breaches are reported, and this may be rolled out across all businesses, according to the ICO’s David Smith.
Mr Smith was speaking to an audience at the Infosec 2010 event. He said that the EU’s Privacy and Electronic Communications directive is going to come into force before 2012, after which time all businesses could face the same level of scrutiny.
The rules would only apply in the event of ‘serious’ data breaches, and Mr Smith recognised that this would require a broad level of understanding in order for businesses to identify precisely what is meant by this. He accepted that the ICO could be the recipient of thousands of minor breach reports which could hamper its operation and he recognises that proper training will need to be given.
The ICO said that in the three years leading up to 2010 there were a total of 962 serious data breaches reported. These figures cover both public and private organisations. The NHS was the most frequent entrant onto the list.
The combined total of the NHS incidents means that it accounts for 33 per cent of the total figure. This factors in 113 reports of data or hardware being stolen, and a further 224 reports of losses from within the organisation.
Mr Smith pointed out that these figures represent only the reports that businesses and organisations in the UK were willing to make voluntarily. This could mean that the actual numbers are considerably higher, particularly in the private sector where businesses are seen to be answerable only to their shareholders and not the public at large.
According to a recent survey, firms in the UK are taking to cloud computing solutions much faster than those located in other EU states, although there is growing concern over the lack of proper risk assessment of these new platforms.
The Information Systems Audit and Control Association (ISACA) complied answers from its members and discovered that the European average for cloud uptake was around 30 per cent, whilst in the UK 40 per cent of businesses are already using some form of cloud computing solution.
Around 25 per cent of UK-based enterprises and firms said that they had made the switch to the cloud without having total confidence in the security of the platform. Most are aware of the potential rewards from the point of view of productivity and cost-effectiveness, but there is still a concern that there is insufficient understanding of the associated risks.
The ISACA’s Paul Williams said that the average UK organisation would have to manage the risks of cloud computing at all times as a core part of their operation. He also said that in business it is perfectly acceptable to take risks as long as adequate calculations were made and contingencies put in place.
In the UK the survey found that firms were more likely to invest in managing risks in IT and the organisation as a whole. This trends shows a divergence from other European businesses, which start from the ground up with the training of staff in risk assessment.
The ISACA has over 1500 members and it found that the majority of these businesses were worried about the exposure to issues created by negligent or malicious employees. The second and third biggest issues were the installation of third party software and the use of unofficial online services on internal systems.
Social networking, which was identified as becoming problematic for several organisations in the recent report, was otherwise shown to be a relatively benign threat in the minds of most business leaders.
It is unclear as to whether the report suggests that UK businesses are being enterprising or foolhardy in their pursuit of cloud computing solutions for storage and backup, but there is no doubt that most experts believe the cloud to hold the future for commerce.
A new report has found that businesses in the EU are failing to properly safeguard customer information due to a lack of cohesion in the implementation of security procedures relating to printing.
Printer firm Ricoh commissioned the investigation into common practices within businesses across the continent and found that less than half of all financial organisations have any kind of policy designed to restrict the transference of private information from a database to paper.
In the professional services sector the state of security is even worse, with just 43 per cent of organisations instigating proper preventative measures. The biggest potential for disaster exists in public sector organisations, of which only a third were found to have any kind of system for preventing sensitive data from leaking out in printed form.
Despite the somewhat bleak picture that the survey statistics present, 49 per cent of the businesspeople questioned recognised that data security did not just stop with electronic storage and portable device encryption.
Ricoh said that a lack of accountability was causing the majority of the issues in this area, with delegation and shared responsibility leading to a culture of negligence. The decentralisation has also meant that data is being used less efficiently and businesses are being hindered by having their productivity reduced.
Ricoh’s UK representative David Mills said that data management planning within businesses had to integrate physical as well as virtual documents. Mr Mills recommends that a unified approach is necessary to ensure that common data security issues do not have an impact on the wider operation of the business.
Mr Mills emphasised the importance of placing responsibility for the safety of customer data across multiple platforms and mediums with a single department or person. Highly sensitive data that slips into the wrong hands can be embarrassing for everyone involved, but if the incentive for proper security rests in the hands of a small group, this will be far less likely to occur.
Data security continues to touch an international nerve across public and private sector organisations and businesses looking to move forward are being urged to work towards internal and external unity.