A new report from privacy group Big Brother Watch reveals how UK local authorities have been shockingly lax with the security and privacy of citizens’ data.
The report, ‘A Breach of Trust’, found that local authorities were responsible for ‘at least’ 4236 breaches over the past three years: 401 of them instances of data loss or theft, 628 instances of incorrect or inappropriate data being shared on emails, letters and faxes; and 159 instances of data being shared with a third party. There were 99 cases of unauthorised people accessing or disclosing data, and over 650 childrens’ personal data was involved in a breach.
> See also: A third of security professionals unaware of data breaches
The calamities ranged from hundreds of confidential letters, emails and sensitive court case files being sent to the wrong people, to an unencrypted laptop containing the personal data of 300 children being stolen, to a social worker leaving bundles of paper on a train with highly detailed confidential information pertaining to ten vulnerable children, including police reports, child protection reports and information about sex offenders.
Data protection training is not currently compulsory for local councils handling personal information, and as a result most of the incidents were driven by human error, says Big Brother Watch, due to poor training or staff being unaware of their responsibilities.
‘We are handing over more of our personal data than ever before to local authorities in exchange for more efficient and better targeted service,’ said the report. ‘As part of this deal we expect that the information will be kept secure and those who have access to the information are properly trained.’
But what’s most concerning is not just the incidents themselves, but the lack of consequence for those involved: in three years just one person has faced criminal sanctions – an employee of Southampton Council for transferring highly sensitive data to his personal email account – and only fifty have been dismissed as a result. 68% of incidents involved no disciplinary action at all.
‘Until proper punishments for the misuse of personal information is implemented the problem has the potential to grow, particularly as the gathering of data increases year on year with new technologies and a move to paperless systems,’ the report continues. ‘Imposing tougher penalties for the most serious of data breaches has received widespread support from a variety of organisations and individuals, including the Information Commissioner’s Office, the Justice Select Committee and the Home Affairs Select Committee.’
Big Brother Watch admits that it will never be possible to eliminate data loss entirely, but that things urgently need to change. As part of its recommendations, it wants councils to hold perpetrators of data breaches to account by giving them criminal records, and to make data protection training compulsory across the board. They should also have a duty to inform people when their personal information has been breached.
> See also: How to respond to a data breach
Tony Pepper, CEO for security specialist Egress Technology Solutions, says the public sector needs to accept that human error is one of the biggest challenges facing security professionals in all kinds of organisations, and put in place ways to ensure public data is not put at risk as a result.
‘The regularity of breaches is worrying, particularly when you consider the fact child data was involved in 658 cases,’ Pepper said. ‘While public sector organisations already have top-down policies and procedures in place, it is clear that staff are not following these rules and that in many cases, there are not really any repercussions if they fail to do so. But it is not all down to the individual to mitigate this; people will always make mistakes, and organisations need to accept that, but they should not accept that this needs to result in confidential data being breached.’