Do you have a spare £150,000?

Today the ICO has issued the Nursing and Midwifery Council a penalty of £150,000. Short change, huh?

In a fresh news release from the ICO, they give details on the breach and how it, and organisations, are failing to protect those whose data they hold and themselves. In this particular incident the council has lost 3 DVDs related to a nurse’s misconduct hearing, containing confidential personal information and evidence from two vulnerable children. After being investigated by the ICO it has been established that the information was not encrypted.

You would’ve thought that;

  1. Such a large and established organisation would have adequate policies and procedures in place that would withstand a breach; and,
  2. That they would ensure such precautions were taken to encrypt all media data, files, software and devices. Unfortunately it is these larger organisations that are failing to protect such things.

It is clear from such a release that not enough is being done, or in this particular case nothing is being done, to protect the personal information stored.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“It would be nice to think that date breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again […]

I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case?”

Read more of this report here.

We need to urge and encourage local councils, organisations and institutions to push for the funding, speak to the board, and increase the budget; enabling organisations like the Nursing and Midwifery Council to encrypt their media storage devices, implement adequate training and communicate the right message to others; as the only message getting communicated, as of late, is the incompetence of those in control of personal data.

By trying to save a few pennies and cutting department budgets you, as an organisation, are putting yourselves at risk of a heavy penalty and loss of trust. For a fraction of the penalty fine the Nursing and Midwifery Council could have created a documentation system, deployed staff training programs or e-Learning and prevented being in the red with their accounts and the press.

Make it the norm to be compliant with such standards and acts as, DPA and ISO27001, these are not new – Data Protection Act 1998, ISO27001: 2005…

Maybe it’s time we and our organisations got into shape, stirred things up a bit…? What do you think?