ISACA International Vice President Rolf von Roessing, CISA, CISM, CGEIT, has applauded the actions of Ireland’s Data Protection Commissioner in publishing a draft code of practice that requires incidents involving the theft or loss of personal data relating to more than 100 people to be notified to its office.
“The Irish commissioner has reportedly published the draft code in response to the recent recommendations of the data protection review group established by Dermot Ahern, the Irish Minister for Justice,” said von Roessing.
“As well as proposing that organisations be mandated to report data losses and thefts involving more than 100 people, the draft code also proposes mandatory notifications of all types where sensitive personal or personal financial data is involved,” he added.
According to von Roessing, the proposed code of conduct formalises the situation regarding data losses or thefts in the Republic of Irelandand, as such, will act as a reference model for other European countries.
The proposal effectively draws a line on the responsibility of managers of organisations which are handling data involving people’s personal records, and that includes human resource records.
This means, says ISACA’s international vice president, that most larger businesses in Ireland will have to report data thefts of most types as they occur, should the code of conduct be ratified as an Act.
Identity theft, says von Roessing, has now become a serious cybercrime problem, with criminal gangs selling personal data between themselves like never before.
“When the UK’s ICO announced in January of this year that he was increasing the penalties for data beaches and losses to 500,000 pounds, we welcomed those changes, noting that it is a major worry for responsible citizens to find that their private data – or even worse, that of their family – has been released into the public domain,” he said.
Security issues such as identity theft, job application refusals and all manner of public embarrassment can result from the disclosure of private data, he went on to say, adding that what can be shrugged off by one person can result in major concerns for another.
“It has been more than 25 years since the original UK Data Protection Act came into force, and since then, computers and the Internet have changed our lives largely for the better,” von Roessing said.
“The same is true for Ireland and most other countries and this is why we welcome this proposal by the Irish Data Commissioner´s Office, as it formalises what has been best practice in many organisations to date,” he added.