Following the loss of 2 disks containing Customs and Revenue records of 25 million people including names, dates of birth, bank and address detail, there has been quite a lot in the press about all sorts of changes to the law to protect this data. This is quite confusing as an IT manager i thought that the Data protection Act already covered all of this data. and that the data should have been encrypted at the very least. I believe that if it had been a private company that lost the data they would have been in a lot more bother. I haven’t heard any mention of the police being called in to investigate (although they called to help find the missing disks) or criminal charges being pressed.
What is more disturbing is that recent survey by SafeBoot (admittedly they are a supplier of mobile data encryption tools so they may be a little biased) showed that nearly 80% of public sector employees ignored their own data security policies and carry out insecure data practices. The survey also found that nearly 50% of private sector employees admitted to ignoring their data security policies.
Another survey this time by Orthus (another security service provider i know) found that 1/3 of data security leaks were down to IT staff.