Obviously, you can take all the precautions you want over how you look after your personal data: keep your firewall and anti-virus up to date, don’t respond to phishing emails, don’t install software of dubious provenance on your computer and so on, but that’s only protecting the data at your end. What happens when it gets passed over to the organisations you are dealing with?

Well, Ian Cuddy of PSF has been compiling a Public Sector Data Breach log showing data breaches in the public sector only (and this is of course not counting the private sector breaches).

Ian has kindly given me permission to republish some of this information here for those of you who aren’t PSF subscribers, and it’s quite shocking reading. In this calendar year, and going only up to the end of September, he’s so far recorded around two hundred and fifty breaches. Two hundred and fifty! At least when everyone dealt with paper records they would only send out one record incorrectly at a time…

So here’s some of the highlights: I’ve selected only one item per month:

• In January, a person wandered into Oldham Civic Centre, and walked out again, unchallenged, wheeling 17 council laptops in a recycling bin.
• In February, NHS Brent were reprimanded by the Information Commissioner after two unencrypted laptoops were stolen containing personal information of 389 patients.
• In March, Lothian and Borders Police has launched a review of data security procedures following the loss of an unencrypted USB memory stick containing information on hundreds of police investigations.
• In April, the Ministry of Defence confirms that an unencrypted hard drive, containing names of SAS soldiers and top-secret training exercises, has been lost.
• In May, Cambridge Police Authority accidentally published confidential complaints about police officers on its website. One of the complaints concerned ‘improper disclosure of sensitive information to a third party’.
• In June, Tendring Council apologised after a sack of documents containing personal details of elderly residents was discovered dumped in a rubbish bag in a street.
• In July, a GP exposed a security flaw in a electronic database accessible by NHS smartcard holders after he was able to view personal records of colleagues and staff without their consent and without the unauthorized access being reported.
• In August, the Crown Prosecution Service has handed personal details of prosecution witnesses (including addresses and phone numbers) to defence lawyers by mistake.
• And in September, the DVLA was ‘urgently’ investigating after its database of millions of motorists was sold to oil firm Castrol to use in a marketing campaign, apparently without its knowledge.

It would appear that the only way to keep your data safe is of course not to have any. Anyone who has access to personal data needs to take particular care not only not to disclose it ‘by mistake’ but also to keep it secure. Whether we need heavier penalties for those who expose someone else’s data either by act or omission may be something that needs to be looked at.

We need to be clearer as regards data protection: organisations must not collect any data they don’t need; they must dispose of that data when appropriate, and they must keep it secure until then. If they fail to do so, then I would suggest not only must they notify everyone who has had their details exposed, but they must also be prepared to stump up any transfer costs (whether financial, or time-compensation) for anyone who decides that they want a different bank account…