Government and business must review data security now

The warning comes from data vaulting and digital security specialist Cyber-Ark, following the latest data loss, this time from a laptop used by a Welsh GP’s surgery. “This latest government agency fiasco centres on the theft of a laptop from a Newport GP’s surgery in early November. Here we are, approaching six weeks after the event, and only now do we learn that the names, addresses, dates of birth and phone numbers of as many as 3,000 patients, many of whom are in poor health, have been lost,” says Calum Macleod, Cyber-Ark’s European director. Macleod insists that there should be “a root, tree and branch” review of government and government agency security arrangements, with the possible formation of a public sector version of the Information Commissioner’s Office, creating agency policy and offering guidance. “The Citizen’s Charter of 1991 gives people the right to demand certain levels of service from the government and its agencies, but the problem with all these data losses is that people only get to know about the problem generally and after the event,” Macleod says. “Those people affected by the recent spate of data losses, including the seven million parents of children whose data was lost by the HMRC’s incompetence, could sue the government, citing the fact that the Citizen’s Charter has been broken,” he adds. There’s also the small matter of the Data Protection Act, which states that anyone who processes personal information must comply with the eight principles – including that the data is secure and not transferred to other countries without adequate protection. Maxine Holt, senior research analyst at independent analyst Butler Group, recommends that government – and businesses generally – use the ensuing compliance agenda as an opportunity to drive organisational change and improvement. “[Compliance] places IT management at the centre of the organisation and demonstrates the value of the effective management of information,” she says. “The role of IT management in compliance is not just to ensure that the business stays within the law, but to support fellow managers and others, in improving business processes and procedures.” Holt’s view: “With the volume of data protection breaches increasing daily, now is the time for organisations to review their entire compliance procedures to ensure that they are still operating within the law, and are indeed protecting their customers’ personal information.”