Skip to main content

Local authorities suffer over 4,000 data breaches in three years

Between April 2011 and April 2014, local authorities across the UK suffered at least 4236 data breaches, according to new research.

Privacy campaigner Big Brother Watch (opens in new tab) is behind the study, which gathered data from Freedom of Information (FOI) responses from 98 per cent of all councils in the country.

The group asked local government bodies in the UK for the number of individuals that have been convicted for breaking the Data Protection Act (DPA), the number that has had their employment terminated as the result of DPA breach, then number that were disciplined internally, the number that resigned during proceedings and the number of instances where no action was taken.

The findings revealed at least 401 instances of data loss of theft, 628 instances of incorrect or inappropriate data being shared on emails, letters and faxes, 159 instances of data being shared with a third party, 99 cases of unauthorised people accessing or disclosing data and 658 cases where children’s personal data was involved in a data breach.

Instances of data breaches recorded included letters being sent to the wrong address, letters containing information not intended for the recipient, lost and stolen mobile devices and breaches involving sensitive or confidential personal information.

Of the data breaches disclosed by the local authorities, 68 per cent of cases had no disciplinary action and when action was taken, 2.1 per cent resulted in resignation or dismissal.

Just one court case relating to the data protection act has taken place, when an employee of Southampton Council was successfully prosecuted by the Information Commissioner’s Office (ICO) for having ‘transferred highly sensitive data to his personal email account.’

Issues To Be Resolved

According to the report, A Breach of Trust: How local authorities commit four data breaches every day (opens in new tab), the data breaches themselves are not the only concern, it is the seeming lack of punishment.

“[The document] highlights a number of major issues which need to be resolved. Until proper punishments for the misuse of personal information is implemented the problem has the potential to grow, particularly as the gathering of data increases year on year with new technologies and a move to paperless systems,” it claims.

“Imposing tougher penalties for the most serious of data breaches has received widespread support from a variety of organisations and individuals, including the ICO, the Justice Select Committee and the Home Affairs Select Committee,” it adds.

Big Brother Watch recommends that going forward, local authorities invest in better training which is compulsory for those handling personal data and that all organisation take the same approach when a breach occurs.

Encryption Company Comments

Egress (opens in new tab), a company which offers solutions such as encrypted email and encrypted file transfer with many local government customers (opens in new tab), has offered its thoughts on the report.

“This report provides even more evidence that human error really is the biggest challenge facing information security professionals and it needs to be dealt with,” claimed Egress CEO Tony Pepper.

“The regularity of breaches is worrying, particularly when you consider the fact child data was involved in 658 cases.

“While public sector organisations already have top-down policies and procedures in place, it is clear that staff are not following these rules and that in many cases, there are not really any repercussions if they fail to do so.

“It is not all down to the individual to mitigate this; people will always make mistakes and organisations need to accept that, but they should not accept that this needs to result in confidential data being breached,” he added.

Industry reaction

Ed Macnair, founder and CEO of cloud security company CensorNet (opens in new tab) commented: “It is shocking to hear that there have been 4,236 data breaches in local councils in just a three year period, but I fear that this number is likely to only increase in the future.

“The number of potential exit points for data loss has risen rapidly since the emergence of cloud-based sharing apps such as Dropbox and YouSendIt, and the ease in which sensitive information can be transferred via cloud-based social apps such as Facebook, Twitter and Skype.

“It is paramount that local councils and the wider business community protect themselves with the new breed of infosecurity solutions that go beyond simply protecting those from breaching the perimeter to monitoring potential breaches travelling inside-out from within via cloud-based apps. Only by gaining this greater visibility, analysis and control can councils and business alike operate without the threat of a hefty ICO fine hanging over them.”

Phil Greenwood, Director at information risk management specialist at Iron Mountain (opens in new tab) was also on hand to offer his thoughts on the report: “The frequency and severity of the incidents highlighted underlines the need for public sector organisations to have the right processes in place when it comes to managing and protecting critical and confidential information.

“In a time where resources and funding are limited, public sector organisations are struggling to balance demands for transparency with the need to protect vital data. The UK’s public sector is going through a period of transformational change. Severe cost-cutting means that staff are over-burdened and many organisations have lost valuable skills in records and information management – despite this, they are left to navigate the ever-complex information landscape.

“Managing information in a way that will protect it from breaches is not simply an IT or business process issue; it’s about culture and people. With people producing most of an organisation’s information and also being the ones most likely to misuse or misplace it, human error can leave an organisation exposed. It is possible to mitigate this risk however, through achieving an organisation-wide culture of information-responsibility. This must come from the top of the organisation and be reinforced with ongoing training and support.

"Beyond this, organisations must seek support from credible outsourced partners, accredited and approved by Government, for assistance with the management of information in physical and digital formats.

"By working with these partners, public sector bodies can outsource with confidence safe in the knowledge that their ability to securely manage information has not been hampered by the pace of change.

Image Source: Shutterstock/Benoit Daoust