Councils are losing personal information, or having it stolen or using it inappropriately, complains the privacy campaign group Big Brother Watch (BBW) in its latest report, A Breach of Trust.
Many breaches occur due to some form of human error, due to poor training or staff being unaware of their responsibilities. As it stands data protection training is not compulsory for those handling personal information. This needs to be rectified, says BBW. The public and the staff working in local authorities need to be able to trust that when a breach occurs it will be treated with the same approach across all organisations. This should include a duty to inform people when their personal information may have been involved in a breach, the campaigners say.
Making requests of councils under the Freedom of Information Act BBW found that in a three year period 4,236 data breaches occurred in councils, including at least:
401 instances of data loss or theft
628 instances of incorrect or inappropriate data being shared on emails, letters and faxes
5,293 letters being sent to the wrong address or containing personal information not intended for the recipient (and BBW notes that in many cases, breaches involving a number of people are treated as a single breach by councils. For instance, Glasgow City Council counted as one case the 677 cases where a landlord has received a letter intended for the tenant and 1130 cases where the tenant has received the landlord’s letter due to an error in the system used to produce letters).
197 mobile phones, computers, tablets and USBs were either lost or stolen.
On 658 occasions, children’s information was involved in the breaches.
As with breaches reported to the Office of the Information Commissioner (ICO) the breaches that BBW collated range from paperwork `with personal data found dumped in a bin, to stolen laptops and mobile phones, some unencrypted; or devices left in a taxi; to sensitive documents emailed or posted to the wrong person. Glasgow City Council’s 128 cases typically were of thefts or lost devices, or mail sent to the wrong person, and included a marriage register left behind when the registrar vacated a building; and 11 unencrypted PCs awaiting disposal that went ‘missing’ from an unlocked storeroom.
One in ten data breaches resulted in disciplinary action; 39 resignations; 50 dismissals; and a single court case – namely a Southampton Council employee prosecuted by the data protection watchdog the ICO for transferring “highly sensitive data to his personal email account”. Big Brother Watch make recommendations to prevent and deter data breaches:
– Prison sentences for serious data breaches;
– Where a serious breach is uncovered the individual should be given a criminal record;
– Data protection training should be mandatory for members of staff with access to personal information;
– The mandatory reporting of a breach that concerns a member of the public; and
– Standardised reporting systems and approaches to handling a breach.
Emma Carr, director of privacy campaign group Big Brother Watch, said: “Despite local councils being trusted with increasing amounts of our personal data, this report highlights that they are simply not able to say it is safe with them. A number of examples show shockingly lax attitudes to protecting confidential information. For so many children and young people to have had their personal information compromised is deeply disturbing. With only a tiny fraction of staff being disciplined or dismissed, this raises the question of how seriously local councils take protecting the privacy of the public. Far more could be done to prevent and deter data breaches from occurring. Better training, reporting procedures and harsher penalties available for the most serious of data breaches, including criminal records and custodial sentences are all required. Until we see these policies implemented, the public will simply not be able to trust local councils with their data.”
Comments
Phil Greenwood, Director at Iron Mountain, the information storage contract firm, said that the frequency and severity of the incidents highlighted underlined the need for public sector organisations to have the right processes in place when it comes to managing and protecting critical and confidential information.
Phil Greenwood said: “In a time where resources and funding are limited, public sector organisations are struggling to balance demands for transparency with the need to protect vital data. The UK’s public sector is going through a period of transformational change. Severe cost-cutting means that staff are over-burdened and many organisations have lost valuable skills in records and information management – despite this, they are left to navigate the ever-complex information landscape.
“Managing information in a way that will protect it from breaches is not simply an IT or business process issue; it’s about culture and people. With people producing most of an organisation’s information and also being the ones most likely to misuse or misplace it, human error can leave an organisation exposed. It is possible to mitigate this risk however, through achieving an organisation-wide culture of information-responsibility. This must come from the top of the organisation and be reinforced with ongoing training and support. Beyond this, organisations must seek support from credible outsourced partners, accredited and approved by Government, for assistance with the management of information in physical and digital formats. By working with these partners, public sector bodies can outsource with confidence safe in the knowledge that their ability to securely manage information has not been hampered by the pace of change.
And Campbell Williams, Group Strategy and Marketing Director at Six Degrees Group (6DG), said: “Councils need to take data protection more seriously. We recently conducted a Freedom of Information Act request amongst the 440 UK councils which revealed a significant gap in data security protection amongst Local Authorities (LAs) in the UK, with 55 per cent reporting breaches of ‘official’ data in the last two years. More worryingly it also showed a staggering 60 per cent of LAs don’t know how much sensitive ‘official’ data they hold, or where it is kept, with one authority suffering 213 data breaches in just two years.”
“This insight reveals a huge gap in approach within LAs across the UK, with a worrying majority lacking in their understanding of the actual position they are in regarding data security, let alone bringing protection up to standard, breaches are commonplace – and what is equally as worrying is the serious lack of insight they have into their own situation. These authorities need to act very quickly or more sensitive public data will be lost to potentially criminal sources.”
And Ed Macnair, founder and CEO of cloud security company CensorNet, said: ““The number of potential exit points for data loss has risen rapidly since the emergence of cloud-based sharing apps such as Dropbox and YouSendIt, and the ease in which sensitive information can be transferred via cloud-based social apps such as Facebook, Twitter and Skype. It is paramount that local councils and the wider business community protect themselves with the new breed of infosecurity solutions that go beyond simply protecting those from breaching the perimeter to monitoring potential breaches travelling inside-out from within via cloud-based apps. Only by gaining this greater visibility, analysis and control can councils and business alike operate without the threat of a hefty ICO fine hanging over them.”
