IT Governance Blog on IT governance, risk management, compliance and information security.

• 711 organisations across the public, private and third sectors have reported security breaches to the ICO since 25 million child benefit records went missing two years ago this month;
• 231 of these involved theft;
• Several organisations have signed formal Undertakings to step up security at premises to ensure that people’s personal details are adequately protected;
• Over 200 private sector firms have reported breaches to the ICO and 209 NHS bodies, which tend to hold some of the most sensitive personal data such as health records, have identified breaches.

Since November 2007 the Information Commissioner’s Office (ICO) have taken action against 54 organisations for the most reckless breaches.

Some of these breaches would trigger a significant fine for organisations were they to occur after the introduction of monetary penalties in 2010.

The Ministry of Justice is considering allowing the ICO to impose fines of up to half a million pounds in the most serious cases.

On top of its new powers from 2010, the ICO will also be increasing its auditing role to ensure greater compliance with the Data Protection Act and new powers contained in the Coroners and Justice Bill would give the ICO formal inspection powers across government.

Can you afford a £500,000 fine?

It’s highly unlikely that a half million pound fine would be a pleasure to receive and so it’s important that all organisations no-matter their size or whether they’re in the private, public or not for profit sector, comply with all eight principals that make up the Data Protection Act (DPA).

How do I ensure compliance with the DPA?

The first thing that any organisation should do is identify where they are right now. Our DPA Compliance Assessment Tool will help you do that and will provide useful advice on how to meet any shortfall you may have.

Our DPA Compliance Toolkit contains the document templates and tools that are essential for any UK data controller (and UK organisation that is responsible for personal information) seeking compliance with the UK Data Protection Act.

Armed with an understanding of where you are, in relation to DPA compliance, and with the documentation templates and tools to acheive DPA compliance, you will stand every chance of achieving compliance before the fines come into force in 2010.

Considered best practice?

Organisations who are serious about the security of their sensitive data should consider implementing an information security management system (ISMS) such as ISO 27001.

ISO 27001 is the best practice specification that helps businesses and organisations throughout the world to develop a best-in-class ISMS. ISO 27001 is the first in a family of international information security standards that:

• will underpin and protect IT worldwide over the next decade;
• ISO 27001 is designed to harmonise with ISO 9001:2008 and ISO 14001:2004 so that management systems can be effectively integrated;
• Implements the Plan-Do-Check-Act (PDCA) model and reflects the principles of the 2002 OECD guidance on the security of information systems and networks.

You can find out more about ISO 27001 and download a free ISO 27001 Introductory Briefing Paper from our website today.