In April 2010 the Information Commissioner acquired powers to fine businesses up to £500,000 for serious breaches of the Data Protection Act 1998. Judging by the press releases on the ICO website for the second half of 2010, the increased fines seem hardly to have acted as a deterrent.
Loss of unencrypted data on laptops, memory sticks and CDs was a recurrent theme in the second half of 2010. Local authorities and NHS trusts were among the worst offenders. Sensitive material was left on trains, at bus stops or on the London Underground or accidentally published on the internet. By way of variation, records turned up in skips or at recycling centres on several occasions.
Organisations both in the private and public sector have adopted a laissez-faire approach to data security for far too long. Now they risk draconian fines and it can only be a matter of time before the Information Commissioner has the power to impose custodial sentences. Furthermore, private individuals affected by loss or misuse of personal data are becoming increasingly aware that they have the right to bring proceedings for damage caused.
If businesses only adopt one good resolution for 2011, make that taking data security seriously, from adopting focussed staff training to appointing a board level officer with specific responsibility for data security issues. It could be the best investment of the new decade.