A recent report from the Information Commissioner’s Office (ICO) based on an audit of 16 local authorities (LAs) and their compliance with the Data Protection Act (DPA) made for interesting, if slightly disquieting, reading. Entitled Findings from ICO audits of 16 local authorities, the audit highlighted data sharing policies and practices as an area that required particular attention. The overall assurance ratings assigned to the LAs ranged from reasonable to limited to very limited and led the ICO to state that they showed “there is room for improvement in all the organisations we visited”.
While a majority (58%) of LAs fell within the reasonable assurance category where there was only “some scope for improvement in existing arrangements”, 38% were defined as limited assurance, leaving “considerable scope for improvement in existing arrangements. One of the LAs provided only “very limited assurance” which meant a “substantial risk of non-compliance” with the DPA with “immediate action required”.
Group manager for ICO’s good practice team John-Pierre Lamb revealed that it had levied monetary penalties totalling over £2.3m on local authorities for the most serious breaches of the data protection principles. The breaches were consistent “with personal information being disclosed in error and lost or stolen paperwork and hardware prevalent”. He said that LAs paid £2.3m in penalties for the most serious breaches.
The report concludes that the figures show that local authorities have much to do to improve data protection governance and training. It stresses how important it is to appreciate that a lack of effective governance structures and training programmes significantly increases the risk of serious breaches of the DPA.
The significance of how effectively LAs and other organisations comply with data protection policies is underlined by the effects of a number of data breaches that result from unsafe file sharing practices. The list of examples includes the posting on the web of nude photos of celebrities allegedly hacked from Apple’s iCloud service, user email addresses stolen from a Dropbox employee’s account, the leak of a list of 5,300 Sky Broadband customers alleged to be illegally sharing adult films online and the incident where Box.com handed over a customer’s account to someone else without their knowledge who deleted it.
All of these incidents showed just how easy it is to misuse or mislay data without the proper protection steps in place. So what should organisations do to ensure the data they hold is safe and compliant with current data protection guidelines? The ICO stressed a number of key points, such as assigning ownership of information governance to a key post and publishing and making policies and procedures available to all employees.
The results of the ICO audit and its recommendations are timely because they coincide with the development of a new data protection regime from the EU, which is likely to extend its scope to all foreign companies processing data of EU residents. This measure, known as General Data Protection Regulation (GDPR), provides for a harmonisation of data protection regulations throughout the EU, making it easier for non-European companies to comply with these regulations.
But it also includes a strict data protection compliance regime with severe penalties of up to 5% of worldwide turnover for organisations in breach of GDPR. Rumored to becoming enforceable from late 2015, this combined regulation will require best practice across the board. From every organisation across the EU. One of the best ways to bolster an organisation’s data protection regime is to implement a file transfer system that can ensure visibility over the file transfer process and enforce corporate policies for transferred files by maintaining permissions for access and transfer of important business content.
However, file transfer processes suffer from a number of problems. Many organisations use email as their main platform but their email infrastructure is not designed to act as the primary file transport mechanism. In the vast majority of email systems there is no guaranteed delivery of content, it is not encrypted and it is difficult and time-consuming to try and audit content sent via email. Another problem is that many organisations use automated and manual systems to exchange large quantities of structured and unstructured data for transaction processing or sharing information up and down the supply chain.
They often employ a variety of systems to exchange this data, leading to incompatibilities between different file formats and a lack of centralised control over how data is sent, translated and managed on a long-term basis. This generates a number of issues, such as content not being tracked through its lifecycle, the chain-of-custody not being maintained properly and cumbersome translation between different file formats.
The consequences are that organisations lack visibility into the file transfer and management process, and are unable to impose consistent standards for file transfer across all parts of the organisation. Poor data governance can make it very difficult to comply with the demands of a regulator during an audit or with corporate or industry policies for data governance.
Instead of relying on email and a collection of file transfer methods for sharing business-critical content, organisations need to deploy a robust content transfer solution that ensures data sharing is safe and compliant. The solution should give them visibility during the entire lifecycle of the content, enable granular control over file transfers, ensure content validation and provide SLAs that permit organisations to manage file transfers efficiently, effectively and in a timely manner.
With LAs and other organisations increasingly dependent on the transfer of disparate types of information, there is a need to manage the content transfer processes in an efficient manner that provides complete, end-to-end management of content over its entire lifecycle and enables the enforcement of corporate policies. To achieve this objective, file transfer systems need to be scalable, reliable, automated for efficiency, secure and adhere to a broad set of regulatory requirements. Otherwise, when the GDPR does come into effect, we could see tougher and more frequent fines being handed out and the next audit could make even messier reading.