Process is key to plugging data leakage, says Software AG

Tim Holyoake, strategic business solutions specialist with Software AG, makes the point that, in these cases, something has failed in the processes, rather than the mechanics of data security. "This reinforces our view that, while measures like encryption make for great IT hygiene, it only addresses a part of the problem," he insists. Holyoake reckons it is unrealistic to consider preventing the sharing of data, but "it is imperative to make sure that the right questions are being asked and that the moving and sharing of information is done in a manner appropriate to the value that individuals place on their personal information". He suggests that in our digital world there is no excuse for sloppy, physical data transfers. "The fact that removable media storage devices are still used for information sharing is astonishing, especially considering the number of self-reported losses through the use of electronic transfers over the last three years is … zero," he explains. The ICO has recently initiated a consultation on the first UK code of practice on data sharing. The 12 week consultation will end on 5 January 2011 and aims to set out a model of good practice for public, private and third sector organisations, when sharing data, both routinely and in exceptional, one-off cases. However, Holyoake says that, while organisations may be familiar with protecting data they hold themselves, establishing appropriate processes for shared information "may present new challenges". The ICO's recommendations go beyond just the physical protection of data and also include guidance on protecting the integrity and context of the information. The code of practice, although still in development, will recommend that steps should be taken to ensure accuracy of data before it is shared and that differing IT systems do not corrupt the information. "Organisations sharing personal information have to make sure that it will continue to be protected with adequate safeguards by the recipient and any other organisations that will have access to it," insists Holyoake. "In an age of Wikileaks, the Google Wi-Fi snooping scandal, huge fines for data breaches and the consequent reputational damage such failures cause, data management needs to go far beyond encryption and password protection," he adds.