The Cabinet Office said the government was “working to achieve compliance at the earliest possible date”.

“As in the private sector, where it is estimated that very few websites will be compliant by the 26th May, so it is true of the government estate,” a Cabinet Office spokesman told the BBC.

“The majority of department websites will not be compliant with the legislation by that date.”

The BBC understands that the sites, which range from those run by local councils to national departments, have been told that no action will be taken by the Information Commissioner’s Office (ICO) over the deadline miss – provided they were “showing a commitment” to eventually make changes.

While government websites do not carry advertising, cookies are still used to carry out various tasks, such as helping site administrators monitor levels of traffic.

“If people listen to our advice and are prepared to take steps towards compliance there shouldn’t be a problem,” Dave Evans, the ICO’s group manager for business and industry, told E-Consultancy last month.

“However, if businesses deliberately stop short of total compliance, then there is a risk.”

After an investigation by the Information Commissioner’s Office (ICO) found that ‘council failed to take appropriate organisational measures against the accidental loss of personal data held on paper records’.

An incident involving the council in 2010 resulted in them signing a formal undertaking to ensure that a paper-handling policy was introduced and adhered to; this latest blunder confirmed that this policy was not in place at the time of the second loss – and as a result, the fine was issued.

Simon Entwisle, the ICO’s Director of Operations, said:

“The potential for damage and distress in this case is obvious. It is therefore extremely disappointing the council had not put in place sufficient measures in time to avoid this second loss.

“While we are pleased that Barnet Council has now taken action to keep the personal data they use secure, it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. This includes storing papers containing sensitive information separately from laptops.”

Comment
DataWise by Absolute Data, is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at info@absolute-data.co.uk, or call us on 01423 790125.

Tweets on social networking site Twitter, claimed that Anonymous; a loosely-organised group of hackers which has regularly targeted official websites, was behind the attack.

An ICO spokesman said the site contained no sensitive data:

“Access to the ICO website has been disrupted over the past few days. We believe this is due to a distributed denial of service attack,” he said.

“The website itself has not been damaged, but people have been unable to access it. We provide a public-facing website which contains no sensitive information.

“We regret this disruption to our service and we are working to try to bring the website back online as soon as possible.”

Included in the request was for Facebook to publish ‘more detail on how long data can be held, what happens when accounts are deactivated and what kinds of ads could be shown to users even when they’re not on Facebook’s pages’.

“We’re adding more examples and detailed explanations to help you understand our policies,” Erin Egan, Facebook’s chief privacy officer for policy, said in a blog posting on the site.

“We are waiting to see the detail of what is proposed, including any role envisaged for the Information Commissioner. We shall then have to judge whether the Commissioner’s current powers are adequate for the task or whether additional powers and resources will be needed. It remains our position that the case for this proposal still has to be made, and we shall expect to see strong and convincing safeguards and limitations to accompany the Bill.”

After a second look at the issue, the ICO insisted that Google submitted to a series of audits, but chose not to fine them.

Now that even more new evidence has come to light (a report by the US Federal Communications Commission) suggesting that “Google employees were fully aware of the data collection”, the ICO “…will study the Federal Communication Commission’s report and consider what further action, if any, needs to be taken.”

The next audit is due from Google in June, which will prove/disprove whether the ICO’s initial recommendations have been implemented or not.

eUKhost Ltd posted an announcement on its website last Saturday morning (28th May 2012):

“Although the method of the compromise remains unclear, we can confirm that an administrator level login was compromised and an IP address added to an allow list to allow a successful login.”

“We are still investigating how this compromise occurred and we can’t currently see any evidence of a database dump. However, with our billing system compromised on any level, passwords stored within and not changed since signup can potentially be compromised.”

The hack itself occurred in February 2012, although eUKhost Ltd didn’t find out about the hack until last week, when the hacking group responsible posted a video confirming the activity on YouTube. UrduHack, a Pakistani hacking group, has been confirmed as responsible for the hack.

eUKhost Ltd said:
“The hacking group responsible is not the type to cause trouble with individuals… they are the kind of hackers that just want to prove they can do something. Their motive was not financial, and they were not interested in compromising our systems, they just wanted to prove they could do it.”

“We are… a bit guilty of not following our own advice that we give to our customers, so we are a little embarrassed that we have not practiced what we preached.”

eUKHost has now moved its billing system to a new server and changed the encryption algorithm. It would appear that payment details do not appear to have been compromised.

The incident happened after a consultant sent a letter to a medical secretary to be formatted, but omitted to identify a patient number, and spelt the name incorrectly. As a result, the secretary chose the wrong patient to send the letter to (although they had a similar name) – the wrong patient then read the letter.

“The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate,” ICO enforcement chief Stephen Eckersley said in a statement.

It was discovered that data protection training hadn’t been given to neither the consultant nor the medical secretary – nor were adequate checks put in place by ABHB to stop such an incident occurring.

Stephen Eckersley, of the ICO said: “Organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO….this case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent. Organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”

Pertinently, although this is the first fine levied on an NHS organisation, “the data protection watchdog is still considering other fines for similar bodies”.

The Brighton and Sussex University Hospitals NHS Trust is facing a much weightier £375k fine after a contractor it employed to destroy hard drives sold them on eBay instead. The drives contained patient data.However, the ICO has not yet given a final decision on that fine, as it is still in discussions with the trust.

The group, which consists of security experts and entrepreneurs, has been created because of frustrations about blaze attitudes and the slow pace of online safety improvements.

“We want to stimulate some initiatives and get something done,” said TIM’s founder Philippe Courtot, serial entrepreneur and chief executive of security firm Qualys.

Other expderts that will be part of TIM include SSL’s inventor Dr Taher Elgamal; “white hat” hacker Moxie Marlinspike who has written extensively about attacking the protocol; and Michael Barrett, chief security officer at Paypal.

The testing methods that TIM will undertake are two-stage: the first part would be to run automated tools against websites to test how well they had implemented SSL. The second stage concerns the running of the bodies, known as certificate authorities, which guarantee that a website is what it claims to be.

“We’ll be making it public,” adds Courtot, “Everyone is now going to be able to see who has a good grade and who has a bad grade.”

The UK’s private sector accounted for more than a third of all reported data breaches over 11 months, but less than 1% of the resulting fines, according to a Freedom of Information request.

Five fines totalling £790,000 were imposed on the public sector and one £1,000 penalty on a private firm.

During the period March 2001 to February 2012, the ICO said 730 events had been flagged up as being potentially liable to a penalty or other action.

The private sector reported 263 cases, while 467 were reported by government and other public sector bodies.

These included:
• 281 incidents when information had been mistakenly sent via email, documents had been sent to the wrong address, or other similar accidents;
• 170 incidents caused by the theft of data or hardware;
• 108 events involving the loss of data or hardware, of which the NHS was responsible for just over a third of cases;
• 17 instances in which materials had not been disposed of properly.

Of the 433 breaches resolved over the period, six resulted in local councils being fined. The biggest penalty was a £140,000 charge imposed on Midlothian Council after it repeatedly disclosed personal data about children and their carers to the wrong recipients.

The private sector company singled out was ACS: Law. Its data controller was fined £1,000 after a hack attack and subsequent security breach resulted in sensitive details about 6,000 people being published on a third-party website.

The ICO said at the time that it would have imposed a larger £200,000 fine had the firm not ceased trading and its owner not been of limited means.

Recent data breaches that have come to light include:
• The accidental publication of the home and email addresses of 38,000 people who applied to run the London Marathon
• Loans company Student Finance England sending an email to 8,000 customers, which included other recipients’ email addresses
• Scotland Yard sharing email addresses of more than 1,000 victims of crime with other victims.