At a time when every penny counts, the people of Hampshire will be ruing the £100k fine placed on their County Council by the ICO. What other services could be compromised to pay that penalty?
The fine came about because highly sensitive information about adults and children was found in confidential waste paper bags in a building. So what can be done to avoid situations like that in future?
1 - Become digital by default
It has been a government objective for a while now. Forward thinking authorities like Warwickshire County Council and its partners are working digitally, which avoids the need for paper, amongst the many other benefits. It uses our powerful secure cloud pam solution for multi-agency safeguarding hub activity. This covers adult and child safeguarding as well as domestic abuse related cases too.
2 - Having an effective Information Security Management System (ISMS)
Safeguarding information assets, like safeguarding of the people themselves, is a fast growing area of concern for authorities and its supply chain. Hampshire County Council should be applauded as it actually gained ISO 27001 in 2008, although it is not clear whether that is still in place, what the scope is for and whether this breach was covered by it (ie perhaps being a failure to execute a policy rather than no policy).
Many authorities can’t see (or struggle to justify) the benefits from investing in the certification costs for standards like ISO 27001:2013. They focus more on following those practices, and perhaps achieving other compliance regimes like PCI DSS, and the health governance standards.
However authority leaders will be looking at that fine (and some of the others in recent times like the CPS fine), and may need to rethink their approach.
With EUGDPR also fast approaching the consequences of poor information security practices like this example would probably be higher than £100k.
At the very least authorities should be looking to ensure the supply chain has Cyber Essentials and ideally is also certified to UKAS approved ISO 27001:2013. This goes beyond G-Cloud framework expectations and rightly so, after all those behind GCloud are not at risk when a security breach occurs (maybe their supplier catalogue entry criteria would change if they were!)
With secure cloud systems like ISMS.Online now available, the investment and management in robust ISMS is much lower and easier than it ever was before.
Responsible customers and partners will not just transfer risk to suppliers through contracts in future either. They will actively collaborate on information security, and ISMS.Online with its collaborative capability, easily facilitates supply chain engagement around the subject.