95pc of organisations store personal data, but few know how to protect it

27 Mar 2009

While close to 95pc of Irish organisations store personal data, only 31pc have a formal data-breach policy. And nearly half of these organisations have little confidence in ISPs preventing unauthorised access to private data.

A survey by the Irish Computer Society’s (ICS) Privacy Forum, in advance of next week’s ICS Data Protection Conference, found that 39.6pc of organisations think the proposed requirement for ISPs and telcos to store all categories of data for two years is too long.

Some 46.2pc of organisations have little confidence, and 35pc have no confidence, in the ability of ISPs to prevent unauthorised access to your data.

Some 94.2pc of organisations said their companies store personal data, while 57.7pc of companies transfer data to external organisations or individuals.

Only 31.6pc of organisations have a formal data breach policy, while 33.8pc have an informal policy.

A surprising 14.3pc of respondents don’t know if they have a data breach policy, and 20.3pc do not have a data breach policy in the company they work in.

Of the respondents who do have a data breach policy in their organisations, 48.5pc believe that all of their staff do not know about their data breach policy.

A damning 50.7pc of respondents do not have a formal retention/destruction policy stating how long to keep data in their workplace.

The survey also found high levels of concern from employees that they were not receiving sufficient data protection training from their employers.

“A startling 45.9pc of respondents affirmed that they do not feel they are receiving enough data protection training,” said Jim Friars, CEO of ICS.

“Companies need to realise the importance of data protection in their companies, and give it the time and training it deserves. In these troubled times, organisations need to minimise the risk of data breaches, which can occur through lack of training. For example if a company were to send out text messages to an unfairly obtained list of 100 mobile numbers, it could be fined up to €3,000 per text message, which would bring its fine to €300,000!”

Friars stressed that data protection and privacy is not just an IT issue. “Every business owner, manager, admin clerk, call centre staff member, public service employee, doctor, lawyer and accountant needs to understand that the right to privacy is a fundamental right, and that every organisation in Ireland has a duty to protect that right for both its customers and its employees.

“At present, the public have little trust in their data being kept safe. Some 46.2pc of respondents have very little confidence, and 35pc have no confidence, in internet service providers’ ability to prevent their data from unauthorised access.

“On a positive note”, continued Friars, “67.9pc of respondents’ companies have one or more named individuals who are responsible for dealing with data protection matters. We hope that with the increased awareness of data protection, we will eventually reach a 100pc response for this question.”

By John Kennedy