Privacy watchdog plans spot checks

The UK’s privacy watchdog will start security spot checks on government departments by the end of the year, after the idea was approved by prime minister Gordon Brown.

Currently the Information Commissioner’s Office (ICO) can only examine the data sharing and data protection policies within government departments, and then only by prior arrangement.

Information commissioner Richard Thomas told an audience of IT security specialists in London that his office will soon be given new powers.

“The Ministry of Justice will bring forward proposals on inspection powers and increases in funding,” he said. “We hope to be inspecting government departments later this year.”

The ICO chief has been pushing for extra powers and funding since his appointment in 2002.

Brown granted a review of the watchdog’s resources after a number of high-profile security breaches – ­ including a lost Ministry of Defence laptop with the details of 600,000 potential recruits and the loss of two discs by HM Revenue and Customs (HMRC) containing the personal details of 25 million families.

Meanwhile, the ICO announced last week that since the HMRC security breach last November, another 94 serious breaches have occurred in both public and private sector organisations.

A third occurred in central government and associated agencies and another third at a local government level.

Of the 30 private sector breaches, half were reported by financial services firms.

Of the total, 16 cases prompted the ICO to force the organisation concerned to make changes to security policies, such as implementing data encryption technology. It said that in three instances the lost information had been recovered.

Thomas welcomed the implication that organisations were taking security responsibilities more seriously, but said the figures must not lead to board-level complacency.

“I am encouraged that more chief executives and permanent secretaries appear to be taking data protection more seriously, but the evidence shows that more must be done to eradicate inexcusable security breaches,” he said.

Security update

The cost to the UK of information security breaches fell 35 per cent from £10bn in 2006 to about £6bn in 2007, according to a PricewaterhouseCoopers survey.

It found 60 per cent fewer companies reported malware attacks than in 2007 but almost all (96 per cent) very large companies had some kind of security incident.

Some 54 per cent of firms now allow staff to access networks remotely, thanks to improved security, with 94 per cent of respondents now encrypting wireless networks, up from 48 per cent a year ago.

But 52 per cent conduct no staff risk assessments and 67 per cent do nothing to prevent portable media data leakage.