The ICO lists the actions that it takes against organizations that it deems to be in breach of the Data Protection act. This also serves as a useful source of statistical information which this blog entry briefly explores. There are a number of different actions that the ICO can take.
- Monetary Penalty Notices,
- Enforcement Notices
Overall StatisticsFor 2012 here are the overall statistics.
Total for Action
|Nr for Web
|Monetary Penalty Notices||24||1|
There were 62 incidents of which 5 relate to websites. Given the number of online applications that process personal information, 5 seems to be a remarkably small number.
Here is a high level overview of the web application incidents.
- 6th August: Sensitive personal information relating to 1,373 employees was published on the website.
- 1st March: Disclosure of personal information in training materials published on its website
- 17th April: a web design error that created the potential for unauthorised access to individual’s personal data
- 18th April: Two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
- 30th November: A private area on the website was accessible to members of the public
The Rest of the IncidentsThe rest of the cases are made up of a mixture of the usual suspects:
- Information being sent to the wrong recipient.
- Paper files left in waste bins.
- Unencrypted memory sticks.
- Hard drives not securely erased at end of life.
It is worth taking a look at the ICO website taking actions page to get a feel for the kind of problems that exist. There is no real pattern. Website issues are only a small proportion of the overall numbers. It shows how difficult it can be for a security manager to put a comprehensive security program in place.