Freedom of Information requests have revealed that local councils reported 4,236 data breaches between 1 April 2011 and 1 April 2014 – approximately four incidents every day. The worst-affected individual council, Brighton and Hove, reported 190 incidents in the three-year period – more than one every six days.
A new report from Big Brother Watch (A Breach of Trust) found that there were at least:
- 401 instances of data loss or theft
- 628 instances of incorrect or inappropriate data being shared on emails, letters and faxes
- 5,293 letters sent to the wrong address or containing personal information not intended for the recipient
- 197 lost or stolen mobile phones, computers, tablets and USB sticks.
Despite all of these incidents, only one person – an employee of Southampton Council – was successfully prosecuted, and only 50 employees were dismissed. In 68% of cases there was no disciplinary action at all.
Councils display “shockingly lax attitudes”
Big Brother Watch director Emma Carr told the BBC:
“Despite local councils being trusted with increasing amounts of our personal data, this report highlights that they are simply not able to say it is safe with them.
“A number of examples show shockingly lax attitudes to protecting confidential information. For so many children and young people to have had their personal information compromised is deeply disturbing.
“With only a tiny fraction of staff being disciplined or dismissed, this raises the question of how seriously local councils take protecting the privacy of the public.”
A spokesman for the Local Government Association said: “Councils take data protection extremely seriously and staff are given ongoing training in handling confidential data.
“When [breaches] do occur, robust investigations and reviews are immediately undertaken to ensure processes are tightened.”
Highest number of data breaches by council
1. Brighton and Hove – 190 incidents
2. Sandwell – 187 incidents
3. Telford and Wrekin – 175 incidents
4. Peterborough – 160 incidents
5. Herefordshire – 157 incidents
6. Glasgow – 128 incidents
=7. Doncaster – 106 incidents
=7. Essex – 106 incidents
8. Lincolnshire – 103 incidents
9. Wolverhampton – 100 incidents
10. Hammersmith and Fulham – 99 incidents
The Data Protection Act 1998
The Information Commissioner’s Office (ICO) can issue fines of up to £500,000 for breaches of the Data Protection Act 1998 (DPA), but Big Brother Watch thinks that doesn’t go far enough:
“The legislation to make breaching Section 55 of the Data Protection Act 1998 (DPA) punishable with a custodial sentence already exists in the form of Section 77 of the Criminal Justice and Immigration Act. Enacting this small piece of legislation would show that the Government is serious about safeguarding the privacy of individuals.
“The introduction of custodial sentences has been backed by the Information Commissioner’s Office (ICO), the Justice Select Committee, the Home Affairs Select Committee, the Joint Committee on the Draft Communications Data Bill, Lord Leveson in the Leveson Review and Stephan Shakespeare in the Shakespeare Review.”
ISO 27001 and best-practice cyber security
Principle 7 of the DPA states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”, but, as the ICO itself notes, a “one size fits all” solution to information security does not exist. “The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.”
An information security management system (ISMS), as set out in the international standard ISO 27001, provides such a risk-based approach to enterprise-wide information security. Implementing an ISMS enables organisations of all sizes, sectors and locations to mitigate the risks they face with appropriate controls. An ISMS addresses people, processes and technology, providing an enterprise-wide approach to information security based on the risk appetite to match the specific threats the organisation actually faces, limiting the inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.
ISO 27001 Packaged Solutions
Priced from only £380, IT Governance’s ISO 27001 Packaged Solutions provide unique implementation resources for all organisations, whatever their size, budget or preferred project approach. Combining standards, tools, books, training, and online consultancy and support, they allow all organisations to implement an ISMS with the minimum of disruption and difficulty.