Given what can only be described as an omnishambles of security breaches, is there much more that the ICO can do to warn data controllers of the risks they should take account of?
What might be helpful though, is data controllers refreshing their memories about the guidance which has emerged from the ICO over the past few years.
In terms of the top 7 ICO publications, (virtual) copies of the following guides really ought to be at every DPO’s fingertips:
7. Guidance on data security breach management (Dec 2012). This very high level, 8-page guide, builds on earlier advice that breaches of non-sensitive personal data relating to more than 1,000 victims should be notified to the ICO, while breaches of sensitive personal data relating to far fewer victims should also be notified.
6. Bring your own device (May 2013). This 13-page document contains advice on what a BYOD policy should contain, what security issues to consider with regard to data storage & transfers, and guidance on monitoring at work.
5. Guidance on the use of cloud computing (Oct 2012) This 23-page guide, evidently about to be revised by the ICO, contains a useful PIA-type check list which covering the issues (in terms of risks, confidentiality, integrity, availability & legal factors) to consider when using a cloud provider.
4. Privacy in mobile apps – guidance for app developers (Dec 2013). This 23-page guide contains some basic security advice, together with useful examples of good and bad practice for app developers.
3. Encryption (Mar 2016) This 35-page guide highlights, through a range of practical scenarios, when different encryption strategies can help provide a greater level of protection.
2. A practical guide to IT security (Jan 2016). This natty 18-page guide reports on 10 practical ways to secure IT systems. Sections offer high level guidance on the importance of:
- Assessing the threats
- Getting in line with Cyber Essentials
- Securing data on the move & in the office
- Securing data in the cloud
- Backing-up data
- Staff training
- Monitoring alerts
- Documenting controls
- Minimising data
- Monitoring contractors
However, and by a country mile, top of my list of "must read" ICO security publications is:
1. Protecting personal data in online services: learning from the mistakes of others (May 2014). This 46-page guide focusses on the most common 8 computer security vulnerabilities:
- Software updates
- SQL injection
- Unnecessary services
- Password storage
- SSL/TLS configuration
- Inappropriate locations
- Default credentials
So there you have it. Security breaches may well occur despite data controllers having taken account of the ICO’s advice – but woe betide a data controller that suffers a security breach because they’ve wilfully disregarded the published advice.
An inability to follow these basic guides will continue to be an aggravating factor that will be taken into account when the Information Commissioner decides what level of Civil Monetary Penalty to impose on a recalcitrant data controller.