The Information Commissioner published a report last week into an incident that occurred in March this year, when a CD containing personal data on 1.6 million people was lost during an office move at Eastern and Coastal Kent Primary Care Trust (PCT). Clearly people will be concerned that data losses such as this are still occurring after so many well-publicised incidents, but the interesting aspect of this story is the way in which it sheds light on attitudes towards risk management in some organisations.
The PCT has published quite a detailed explanation on its website, from which it is clear that a formal risk assessment process was undertaken (and appears to have been documented) before making the decision to store the CD in a filing cabinet. The PCT then goes on to reassure people that the data was “not current – the most recent information was from 2002”; but offers no explanation as to why they needed to continue storing this data on a CD. It seems very unclear why anyone required access to this non-current data in this format?
There is always a danger with formal risk management processes that people become so focused on the process that they forget to ask obvious questions like – why are we storing this data in the first place? No policies or procedures can substitute for common sense.
Follow the link for more information on Risk Evaluation and Control.