The 21st annual report from the Data Protection Commissioner’s office has been released. As usual it makes for some very interesting reading. The report notes that the number of breaches reported to the office has doubled since the previous year. Most of these reported breaches are from organisations within the public sector. While the first reaction may be to say the public sector is not taking due care of the personal data entrusted to it, I would argue that the public sector is no better nor worse than the private sector.
One of the main reasons for the increased number of reported incidents from the public sector is most likely due to the guidance issued by the Department of Finance in late 2008 “encouraging” government departments to report breaches to the Data Protection Commissioner. See section 4 on page 23 of the guidance.
In my opinion the Data Protection Commissioner’s report reinforces the argument that Ireland should introduce mandatory data breach disclosure laws. My own thoughts on that particular issue are in this presentation that I gave at the last NITeS seminar;
I strongly urge that you take the time to read the report and to ask yourself the question, “How effective are my security controls in protecting the personal data entrusted to my organisation?” If you find it hard to determine how to answer the question there is a very good self assessment checklist available on the commissioner’s site.