Friday, 21 February 2014

Lies, damm lies, and ICO statistics

Data Breaches. Who’d report them?

Well, over the past 9 months there has been a steady increase in the number of incidents that have been reported to the ICO. Admittedly, is still a miniscule amount. Were it not for our chums in the health, local Government and education sectors, you might be mistaken for thinking that data controllers had, mostly, blown an almighty raspberry in Wilmslow’s direction by ignoring the invitation to report data breaches. When even Britain’s mighty telecommunications companies, who are compelled to make reports, can only think of seven incidents to report in the past 9 months, you get a sense of what is actually going on.

Does it matter?

It probably only matters if people misuse the statistics that are eventually published. It would be awful, for example, if NHS opponents were to misuse the most recently published ICO statistics to infer that data protection standards in the health sector were significantly worse than in other sectors.  No. To my mind, the statistics simply indicate that NHS managers have a pretty good idea of what is going on within their own organisations, and they tend to follow the breach reporting rules more closely than other sectors.

I do hope that the ICO statistics are not going to be misused by NHS opponents to undermine public confidence in the integrity of the NHS. Especially now that a public awareness campaign is being relaunched to commend to patients the potential benefits of greater sharing some of their medical information. Such misuse would be completely wrong. Tempting, perhaps, but completely wrong.

When do we get to a stage, though, where the reported statistics are considered so meaningless that it is not worth carrying out any trend analysis? Are we seeing most of this elephant, or are we merely viewing a pimple on the elephant’s bum?

Perhaps what is helpful is not the volume of breach reports (which contain no information about the number of potential victims affected by each incident), but that these reports can be used to take a snapshot of the types of incidents that have occurred. Was the data disclosed in error? Lost in transit? Was there a technical security failing, or an insecure disposal? Data protection professionals can then turn the reports into “war stories,” for local consumption.

Accordingly, I think the ICO is right to continue to publish these statistics, but I would welcome a more thorough “health warning” to remind the uninitiated that what they are seeing is not the whole picture.