31 January 2012

DATA PROTECTION AND ALL THAT – WHAT DO YOU THINK?...

Google
Well, January is nearly over and it’s time to look at all the research that’s been produced over the past year to try and draw meaningful and usable statistics...
I do this very selfishly before starting in anger on the conference circuit as I like to have up-to-date figures and stats in my presentations (and let’s face it, we all love numbers! ;-)
Today, I focus on the research produced by the UK Information Commissioner's Office (ICO) in the two following reports Report on Information Commissioner's Office Annual Track 2011 - Individuals and Report on Information Commissioner's Office Annual Track 2011 - Organisations.
Since the revised Data Protection Act came into force in 1998, the ICO has monitored awareness and understanding of this legislation amongst individuals and organisations in both the public and private sector. The studies were conducted amongst approximately 2,500 individuals and 400 public and 400 private sector organisations with an even split between small and large businesses .

Security as a social concern, what the numbers say...
  • Individuals are mostly concerned about the passing or selling of their personal details to other organisations (97%) with security of their personal information coming second at 96%;
  • 93% of individuals believe that organisations request too much personal information (remember, if you don’t need it, don’t ask for it, and certainly don’t keep it!)
  • 83% of individuals believe that organisations keep their information for too long (when’s the last time you looked at that retention policy?...)
  • 74% of individuals believe that online companies do not collect and keep their personal details securely and 81% are concerned about organisations collecting and keeping their details online. (If you do one thing today, give your web developers the OWASP Top Ten, it’s FREE!)
  • 66% of individuals believe existing laws and practices do not provide sufficient protection for their personal information; (Well, EU breach disclosure and data protection laws will soon see to that...)
It was also interesting to note that individuals mostly rely on the media (41%) and their workplace (21%) for awareness of data protection issues (how is your training programme shaping up?).
Another interesting snippet is that individuals mostly rely on their Citizens Advice Bureau for advice on information protection and the DPA (60%) with the internet and a solicitor in joint second place at about 19% and very few were aware of the ICO.
So for all you marketing people out there, look at the figures, they are compelling: people think security is important, use it! Also, go and find out where your customers go for advice, it may surprise you...
Security as a corporate concern, is it any better now?...
Well, rather than pondering at length, I think the table below speaks for itself:
What obligations are you aware of that organisations have to comply with when processing personal information?
Obligations (Unprompted)
Public Sector
Private Sector
Overall 2011
Overall 2010
Large
Small
Total
Large
Small
Total
Personal information is kept secure
75%
66%
71%
75%
73%
74%
72%
54%
Personal information is processed for limited purposes
42%
31%
37%
35%
24%
29%
33%
28%
Personal information is not kept for longer than necessary
46%
28%
38%
29%
21%
25%
32%
24%
So, if we turn the figures around, this means that 28% of organisations are still unaware that they must keep their customers personal information secure, 67% of organisations believe it’s OK to use personal customer information for purposes other than what it was requested for (have they talked to their legal departments?) and 68% of organisations believe that they can keep customer information for an indefinite period of time (yep, that retention policy again)... So, if data privacy is not on your radar, have a look at my blog post on privacy laws...
Admittedly, I was expecting to see a large difference in attitudes towards information security and data protection between corporates and SMEs, so I was surprised to see that this was not the case (only about 10% difference between large and small organisations overall)...
Another interesting point is that public sector organisations are generally more aware (by 6%) than private sector businesses (and we know why that is: the ICO traditionally focused on public sector and has only recently turned its attention to the private sector, with all the fines and public exposure that ensues...).
So all in all, the figures are going the right way if we compare 2011 to 2010, but we still have a long way to go and still a lot more to come, as summarised in my post on EU regulations.
Until next time...