Punishments for public sector data breaches hit a new high-water mark recently as the UK Information Commissioner’s Office (ICO) imposed its biggest fine to date. Midlothian Council in Scotland was fined £120,000 for sending information on children and their carers to the wrong recipients.
Rising fines may suggest how desperate the ICO is to highlight the need for public authorities to improve data protection policies and enforcement. Local authorities were fined a total of £620,000 for data protection failures last year – a large amount of taxpayers’ money being wasted by employee error.
In the wake of Midlothian’s fine, the ICO called for local authorities to improve policies, checks and training in place. This is all very well but the failure to spot these contraventions does highlight how difficult it is for an organisation like Midlothian to understand, assess and be in the strongest possible position to resolve access risk issues.
The challenge for local authorities is that they don’t have the specialist skills in-house to take command of these issues. While a chief data protection officer function needs to be cultivated, public sector organisations also have to seek technology solutions that provide the intelligence and support needed to make the right access risk decisions.
The identity access management industry has recognised that it can do more to assist local authorities in making their data protection fit for purpose. New approaches to access risk management can reveal where the greatest risks lie and alert the authority organisation to breaches in real time, rather than five months’ time as was the case at Midlothian.
To turn around the failed data protection policies at Midlothian, they must create a culture of shared responsibility for data security among their employees. To achieve that, the organisation needs to better understand access risk and get a comprehensive view of where data breaches may occur. They also need effective security policies and access risk management solutions that enable organisations to maintain control of who is accessing sensitive information and how it is being used.
By integrating user access policies with access risk management technology, public organisations will be able to better monitor risky activities, detect unauthorised data usage and escalate security alerts to relevant staff. This will put the full control of access risk in the hands of the organisation, while ensuring better enforcement of security standards and more visibility of access risk issues.