Managers must face security responsibility

Smith: Above all, it's about accountability

There needs to be clear accountability for data protection within organisations to ensure security of information, according to experts in the public sector.

Data protection will improve when senior corporate officers’ jobs or freedom are at risk, deputy information commissioner David Smith told the Westminster eForum on Security last week.

“It is about scrutiny, policing, data deletion and data minimisation, but above all it is about accountability,” he said.

Smith said that information assets should be allocated to a senior officer, as well as board-level accountability, scrutiny, public statements about the way the organisation handles data, effective regulation and annual assessments.

“You need to decide who should be shown the door if things go wrong, and if you cannot answer that, there is a problem that needs to be addressed,” he said.

“While penalties will change the culture to some extent, I do not think the value of the fines matters; reputation is the driver.”

The issue is not being taken seriously enough by managers and many recent breaches could have been avoided, according to Francis Aldhouse, consultant at legal firm Bird & Bird.

“I agree that we need a culture change. We have seen examples where data protection has not been a management priority, so conscious decisions have been made not to address the significance of the issue,” he said.

“I would like to see criminal penalties ­ on organisations and individuals ­ for failing to comply with regulations. The only way is to make it possible for managers to suffer.”

Phillip Wright, a partner at PricewaterhouseCoopers, said: “The biggest area of risk is data transfer. We should be looking at minimising it and eventually phasing it out.”

Carrie Hartnell, programme manager for information and security at industry trade association Intellect, said: “Regaining customer and consumer confidence is vital, especially as we are moving towards putting more services online.”

Hartnell said Intellect thought that legislation requiring data breach reporting was an inevitable step.

“We believe that there will be a requirement, not just an option, to report data breaches in future,” she said.