Straw grants ICO half its wish list
Some new powers but not enough
More than a year after the government lost the discs containing the UK's entire child benefit database Jack Straw is offering to increase the funding and powers of the Information Commissioner's Office.
The ICO wanted powers to investigate any organisation it suspected of failing to follow data protection principles. Straw is offering to let them probe public organisations but not private companies.
Information Commissioner Richard Thomas welcomed new power to inspect public bodies but said: "We would have preferred to have this power to undertake audits extended to private sector organisations as well. "
Back in December 2007 Richard Thomas asked for stronger powers and better funding. He suggested private companies include a data protection statement in their annual reports so it would be signed off by chief executives. He also asked for a new criminal offence to be created.
Thomas also questioned whether the broad thrust of the government's data sharing policy really took privacy seriously.
The ICO is funded by charging organisations £35 to register data controllers - this fee is the same whether you are a huge government department or an individual holding a handful of people's details. Instead there will be a sliding scale of charges for different organisations going up to a maximum of £1,000. Some smaller firms will be exempt from charges.
This increase will give the ICO annual funding of around £16m compared to its current budget of £10m.
Meanwhile the government continues to lose data, albeit not on the scale of the HMRC's massive giveaway. It emerged yesterday that the MoD had lost 200 devices in the last year. Staff have lost 59 memory sticks, 62 laptops, 4 desktop computers and impressively 72 hard drives. Meanwhile thieves have made off with 6 memory sticks, 58 laptops, 8 desktops and 2 hard drives. ®
72 hard drives?
If those are the nice, nickable external sort, there would be a *lot* more than a few DVDs' worth of our data on them.
If they're not ... you mean people are wandering in with screwdrivers and ... ?
Mine's the one with a couple of hard drives and a screwdriver in the pocket.
Losing kit != losing data
Statistics etc blah blah blah.
Losing kit is bad, unless of course you lose your horrible laptop and get a shiny new one. But losing kit does not mean that any data has been lost.
However, anecdotal evidence would suggest that there is a correlation between the amount of sensitive data on board a piece of kit, and the likelihood that some idiot will leave it on a train/bus/backseat of taxi or in a pub loo.
In an organisation that I am quite familiar with, I know of a case that went like this:
- External party comes in to do some work
- CIO says 'no 3rd party laptops, no removable media'. Good man.
- External party takes data on a USB stick. Loses it. Mucho sensitive data on it. Fesses up.
- CEO 'appoints' CIO as data security officer, tries to sack him for security breach
- CIO has a fit and threatens legal action
- External contractor slapped across the wrist with wet bus ticket
- 'Reorganisation' a month or two later sees CIO role downgraded
So CIO was hoisted on a large petard as a scapegoat precisely because the organisation had failed to take data security seriously - until there was a problem.
but by then, said horse has bolted.
I'd like to see a study on how many cases are reported compared to how many there really are...
"@4 destop computers? " "FOR FUCKS SAKE" "el regs readers"
FFS, if you're going go all teachey, avoid typos and cure your RGA (reverse greengrocer's apostrophe) syndrome. Also, "this mistake" might have been slightly more appropriate than "that mistake". But I'm just saying.
Hey, don't push, I'm leaving already