In the recent HM Revenue & Customs (HMRC) data debacle, employees at all levels of seniority neglected security policies and procedures, copied database information to disks, and sent data unencrypted in the post.

In the past few weeks we have seen multiple data loss reports: Northern Ireland drivers’ licence details, Merseyside health workers’ data and HMRC’s admission that its Cardiff office either lost the personal details of more than 6,500 people claiming pensions and/or sent the data to unauthorised recipients.

We have government regulations that require companies and agencies to protect private data, as well as corporate security policies dealing with the same issue.

Sadly, confidential data is not being handled in accordance with these privacy regulations. That needs to change, and it needs to change before more of our personal data is “shared”.

Far too often companies and government agencies establish good data security policies, everyone signs off on those policies, and then does exactly what they want. This is not solely a UK problem, recent studies from The Ponemon Institute and other research firms indicate disregard for security policies is widespread.

Ponemon, in its recent report Data Security Policies Are Not Enforced found that more than half of the survey’s respondents had copied confidential company information onto portable devices, even though more than 87 per cent also said that company policy forbids such practices.

It is obviously not enough to create data-driven security policies and then pay lip service to the idea of privacy and protection of confidential information. Businesses and government agencies need to have comprehensive training programmes detailing the importance of protecting private data and the policies in place to do so.

Then we need to enforce those policies using technologies such as role-based access to ensure that no one accesses information that their job does not require them to see.

You also need automated enforcement of security policies to block forbidden activities; system auditing to see who is doing what with protected data; encryption of data in transit and at rest to protect it if breaches do occur; and real consequences for any attempts to thwart security policies.

Compliance with policies must be automated as much as possible to stop incidents of human error and outright disregard of a company or agency’s policies. And penalties for breaking policies must be rigorously enforced, each and every time.

Additionally, while the financial costs of data loss are real, the damage to reputation and levels of public trust associated with data loss can be just as devastating.

Until there are genuine consequences associated with data loss ­ apart from the typical week or so of angry media stories ­ our personal data will continue to be mismanaged.

Mike Howse is European managing director at data security firm Protegrity and a BCS contributor