2014 Q4 figures released by the ICO (Information Commissioner’s Office) reveals that of the data breaches reported to them, over 40%  originated from the healthcare sector.  Local government and education are a distant 2nd and 3rd respectively.

Source : ICO Q4 2014 Data Breach figures

The vast majority of these were attributed to human error, broken down into detail in the next chart.

Source : ICO Q4 2014 Data Breach figures

Principle 7 failure originates from inadequate technical controls.

The ICO states :

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Chun’s View

The raw figures indicate that the healthcare sector is prone to unintended personal information exposure (bear in mind these numbers haven’t been normalised),  it could be that this sector’s threshold for reporting is lower, It does reinforce the point that the majority of data leaks are due to human error.

Mitigation

Board-level sponsorship of Data Protection and Information Security training, as part of a larger learning and development regime, is essential. It must be viewed by the organisational population as worthwhile.

This must be formalised into the training strategy and woven into the Employees Handbook and Security Policy of the organisation.

As well as regular training targeting people who handle personal data, the training quality assurance is provided by the tracking of training metrics, such as completion and pass rates. With a sufficient data set, this may be correlated against the number of incidents reported. Incident rates may actually increase, as more may be reported when people are more aware of their obligations.

Parting words

Whichever sector you’re in, guarding against unintentional exposure of personal information is essential to maintaining your organisation’s reputation and avoiding the attention of the ICO.

Further reading (ICO)