As the Information Commission Office’s deputy, David Smith, recently noted, (http://tinyurl.com/yervonr) a poor understanding of the Data Protection Act combined with a lack of communication and training on the subject of security remain key issues in recorded corporate data breaches.

Beware the ‘blaggers’

ICO investigators have been involved in cases where government departments such as the Department of Work and Pensions and Revenue and Customs have been targeted by bogus callers attempting to gain access to confidential information. Such ‘blaggers’ are particularly interested in itemised bills for landlines or mobiles, and as a result telephone service providers are routinely targeted. GP surgeries and hospital records departments are other regular targets.

And while, in the private sector, information security breaches are estimated to cost the business community approximately £10bn a year (http://tinyurl.com/ydd3qm5), these issues also extend to UK police forces.

As the ICO note (http://tinyurl.com/yc9jcn7) most Professional Standard Departments of UK police forces are at one time or another investigating police officers and police staff in relation to unlawfully obtaining personal information held on police systems – most commonly the Police National Computer (PNC). Accessible 24 hours a day, the PNC saw approximately 185m transactions during 2008 alone.

Abuse of police systems

One 2009 case in Essex saw an individual access Essex Police intelligence systems unlawfully 800 times, passing on to third parties mobile telephone records and accessing criminal records. The punishment for this breach of the Data Protection Act? A £750 fine.

There are numerous other cases of police forces prosecuting staff for unlawfully accessing personal information on police systems. And with police systems growing ever-more complex and providing the ability to retain and access large quantities of confidential information, the issue of information security is only likely to grow as an issue.

The impact that the growing civilianisation of UK police forces will have on this issue is also difficult to determine. As the ICO note, staff attitudes to data protection are a critical element of successful information security. While both police and civilian staff have been involved in information security offences, are civilian staff more likely to fail to recognise the implications of breaches in relation to invasion of privacy and crime?

Data security and police civilianisation

If more force positions are filled with civilian staff, contractors or part-timers in place of career professionals what additional issues of vetting and protecting quality of service, particularly in relation to information security, will be raised?

With the ICO report concluding that staff and management attitudes to the subject were critical to ensuring data is adequately protected and that the potential value of personal data was fully understood, it seems clear that structural and management practices, strict processes and procedures, as well as communication, all play a part in addressing this issue. Equally, appropriate IT systems and solutions have a critical role to play in supporting organisational practices and processes.

Whether operating in the public or private sector, there should be no doubt that the subject of information security is one many organisations need to spend considerably more time thinking about.