Mention data loss, and most of us will think of the 2007 incident in which HM Revenue and Customs (www.hmrc.gov.uk ) misplaced the child benefit records of 25 million people.

It may be the most infamous case of its kind in terms of sheer numbers. But the Revenue is not alone.

Recently, the Information Commissioner told the NHS (www.nhs.uk ) to improve its data security after breaches involving the loss of thousands of personal medical records.

The Commissioner’s office said it had taken action against 14 |organisations within the NHS in the last six months.

What’s even more astonishing is that between January and April of this year, there were 140 security breaches within the Health Service — that’s more than central government and local authorities combined.

Nor are these blunders confined to the public sector.

A survey of 1,000 hard drives obtained from eBay (www.ebay.co.uk ), other auction sites and car boot sales found information — some of it confidential — from the Ford Motor Company (www.ford.co.uk ), Laura Ashley (www.lauraashley.com ) and Nokia (www.nokia.co.uk ).

Ford said it was investigating the history of the hard drive in question to see if it came from an associated company with “different disposal policies”.

Laura Ashley said it was “surprised” because it had “rigorous” arrangements in place.

BT’s security research centre (http://labs.bt.com/cissr ), which funded the study on the hard disks, wondered when people were going to wake up, because data loss was not a new problem.

It described some of the losses as “inexcusable”. Protecting data could be crucial to a company’s survival. If intellectual property ended up in the hands of competitors, it could undo months or even years of investment in research and development.But the public sector has a different problem. The private information entrusted to government departments, councils, other public bodies and the Health Service can be highly confidential.

To lose it is not just a betrayal of public trust. It’s a breach of the Data Protection Act.

Your duties with regard to private information can be found in clear, unambiguous language at the Information Commissioner’s web site: www.ico.gov.uk. So what policies can you put in place to ensure that data in your company or organisation is protected?

Well, as the Commissioner’s office pointed out after the Revenue fiasco in 2007, drawing up a data protection policy is not rocket science.

Some organisations, for example, still don’t prohibit employees from using storage devices such as USB sticks at work. In the HMRC case, one member of staff was able to burn the entire child benefits database to a CD.

This is such a glaring hole in security that it should be the first one to be plugged.

Next, you need to look at who is using the data, what they are doing with it, and when and how they are accessing it. This allows you to put in place a security hierarchy. Not everyone needs access to every level of information.

Data should also be encrypted. This stuff may sound very obvious, but one of the recent NHS breaches involved the details of 6,000 prisoners, contained on a memory stick. The data was encrypted, but the previous user had very helpfully attached a note revealing the password. I promise I am not making this up!

You can also install software that monitors the database and issues a warning if, for example, an attempt is made to download a large customer file and a computer terminal has not done that before.

Finally, at the end of the data’s lifecycle, you need strict disposal policies so that hard drives don’t end up on eBay.

There’s a useful article on the disposal of individual hard drives here: http://news.bbc.co.uk/1/hi/technology/8056364.stm.

The University of Edinburgh has drawn up an extensive set of guidelines for the protection of data.

See: http://preview.tinyurl.com/qzcb2v. There’s also a section on the subject at www.businesslink.gov.uk. With the increasing use of electronic storage, this topic is too huge to do justice to in a newspaper column.

No single data protection policy can be applied to every organisation.

But bear in mind when drawing one up that the weakest link is usually the human one, as all the recent breaches have demonstrated.

Rob McConnell is regional director for SQS NI. (www.sqs-uk.com) . His email address is rob.mcconnell@sqs-uk.com