Government agencies made almost 9,000 personal data breaches in a year, a new report by The Guardian said, adding that just 14 were reported to the Information Commissioner (ICO).
A total of 17 departments had breached personal data exactly 8,995 times in 2014/15, which means more than 24 data breaches a day. Most breaches were done by Britain's tax authority, HM Revenue and Customs (6,041). It reported three.
The Ministry of Justice had 2,801 breaches, also reporting three. The majority of the breaches were considered 'minor' that “potentially had an impact on customers but were not managed centrally by the department”, but we'll never be able to tell.
“The lack of detail in the self-reporting data means it is not possible to determine how significant any of the 8,981 incidents [not reported to the ICO] were,” a National Audit Office report said.
“The data reflect public reporting as signed off by accounting officers and highlight major variations in incident reporting processes across departments.”
Sir Amyas Morse, head of the National Audit Office, said: “Protecting information while redesigning public services and introducing the technology necessary to support them is an increasingly complex challenge.
“To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.”
Data protection and the idea of government access to private data is at the heart of a heated debate in the UK, with the Investigatory Powers Bill, also known as Snooper’s Charter, currently being in draft. It was proposed by Prime Minister Theresa May, who exiled whistleblower Edward Snowden recently called ‘Darth Vader in the UK’.
If passed, the bill would allow law enforcement agencies to access metadata of UK citizens without a warrant.
Jacob Ginsberg, Senior Director at Echoworx commented: "The government is delving into our personal lives and demanding public transparency with bulk data collection. However, when their networks are breached and our personal information is left out in the open, they are under little to no obligation to disclose it. There are clearly two sets of rules – one for the public and one for the government. This isn’t right.
"The NOA report further highlights the hypocrisy surrounding data security in the UK. The government claims that individuals’ privacy is of paramount importance – despite its efforts to weaken encryption – yet clearly there are serious failures with its current security setup. Data security must be of paramount importance, even more so in the public sector.
"History has shown that governments are just as vulnerable to attacks as any other party. What’s needed is an immediate re-think of security strategy and public transparency."