Sixty-eight percent of employees admit to bypassing their employers’ information security controls in order to do their jobs, according to new research from IT Governance Limited. This finding suggests that, even in some of the most sophisticated and security-conscious organizations, managers are failing to understand the correct balance between the confidentiality and availability of information. By implementing the wrong policies and procedures, they are potentially putting their organizations at risk and may be undermining the legitimacy of information security in employees’ eyes.


IT Governance Limited is a one-stop-shop for books, tools, training and consultancy on governance, risk and compliance. In February 2008, it polled 130 technology and compliance professionals on issues concerning the UK Data Protection Act (DPA).


The research found that most organizations appeared aware of their responsibilities under the DPA, with over 80 percent having a data controller or someone responsible for maintaining privacy. Eighty-two percent of organizations had clear policies and procedures for protecting personal data, including documented procedures (68 percent of organizations), formal procedures (57 percent) and informal procedures (24 percent). Twenty-one percent had policies and procedures certified to best practice standards, such as ISO27001, indicating that respondents represented organizations that are particularly well managed in the field of information security. Nevertheless, the high incidence of employees deliberately circumventing policies and procedures indicates that many of the measures introduced by management are unduly obstructive, either in design or implementation.


Organizations also differ in the comprehensiveness of their data security regimes. While 89 percent cover access to personal data, only 56 percent govern detecting and reporting data losses, while just 39 percent extend to correcting data loss incidents.


The need for DPA compliance is clear, with 96 percent of the organizations represented holding personal information about customers, patients or other individuals. Of these, 56 percent hold payment card or other financial information; 39 percent hold sensitive personal information, such as ethnicity, religion or political affiliation; and 36 percent hold medical information. However, only 55 percent of employees handling personal data have been trained in their legal responsibilities in respect of this information.


For more information on this study, go to

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access