UK Local Authorities in Data Protection Fail

UK local councils suffered over 4000 data breaches from April 2011–2014, a jump of over 3000 since the three-year period prior, according to a new report from rights group Big Brother Watch.

The Breach of Trust report claimed to have found at least 4236 breaches over the past three years, a significant rise from the 1035 recorded from July 2008–2011.

Of these, there were 401 instances of data theft or loss, with 197 incidents of equipment being lost or stolen.

Remarkably, Glasgow City Council accounted for three-quarters of this figure.

Elsewhere, inappropriate or incorrect data was shared by email, letter, or fax on 628 occasions; there were 99 cases of unauthorized staff accessing or disclosing data; and personal data on 658 children was involved in a breach.

Despite the worrying stats, no disciplinary action was taken after a breach in 68% of cases, with only 50 local council employees losing their jobs as a result and 39% resigning – just 2.1% of the total.

The only case to go to court involved an employee from Southampton Council who was successfully prosecuted by the ICO for having “transferred highly sensitive data to his personal email account.”

Big Brother Watch called for tougher penalties for the most serious data breaches.

It added:

“Many breaches occur due to some form of human error, due to poor training or staff being unaware of their responsibilities. As it stands data protection training is not compulsory for those handling personal information. This needs to be rectified.

Both the public and the staff working in local authorities need to be able to trust that when a breach occurs it will be treated with the same approach across all organizations. This should include a duty to inform people when their personal information may have been involved in a breach.”

The rights group recommended introducing custodial sentences and criminal records for those found guilty of serious breaches; mandatory data protection training for staff with access to personal info; standardized reporting and handling of breaches by local authorities; and extending the ICO’s assessment notice powers to local government.

Phil Barnett, EMEA vice president at Good Technology, claimed the report shows a “shockingly naïve” approach to data protection from local authorities.

“With the public’s trust diminishing, government bodies need to take matters into their own hands. The best approach for minimizing security threats is a combination of stringent security policies, the correct tools, and education,” he explained.

“Education is vital, as it equips the workforce with the knowledge they need to make informed decisions and evaluate potentially risky situations.”

What’s Hot on Infosecurity Magazine?