11.08.15
Councils breach data protection laws ‘four times a day’
Sensitive and confidential information is lost or stolen by councils an average of four times a day, a campaign group has found through Freedom of Information requests.
The research, conducted by Big Brother Watch, found that local authorities recorded a total of 4,236 data breaches between April 2011 and 2014 – nearly 700 of which contained private information involving children.
Though most councils attributed this to “miscellaneous incidents” rather than confirming what took place, some local authorities shared shocking stories behind the data breaches.
A social worker at Lewisham City Council, for example, left a bundle of papers on a train, including sensitive data relating to 10 children, as well as information on sex offenders.
Other examples include a CCTV camera operator at Cheshire East Council using the cameras to watch a colleague’s wedding, and an unencrypted laptop containing details of 200 schoolchildren being stolen from Aberdeen City Council.
The campaigning watchdog also found that only one in 10 of the most serious cases resulted in disciplinary action. Staff resigned in 39 cases and only 50 employees were dismissed.
Brighton & Hove Council topped the group’s FoI list, with 190 recorded data breaches during the three-year period.
Emma Carr, director at Big Brother Watch, told ITV this morning: “Human error certainly has played a huge part in a lot of the examples in this report, so we’re talking about the need for better training, questioning whether the information should be leaving the council area at all, whether it should be put in a USB stick or on a laptop, and limiting the amount of people who have access to this information as well.
“We’re being asked, as individuals, to hand over a huge amount of personal information to councils on a daily basis – we have no choice if we want to receive their services. But we need to be able to trust that they’re going to keep us safe.”
David Juitt, chief security architect from Ipswitch, noted that public sector organisations are “falling foul of data loss as opposed of data theft”, since most breaches are simplistic rather than “sophisticated hacks”.
He said: “Sending an email to the wrong recipient or leaving a laptop, tablet or USB in a public place may seem like an easy mistake, attributable to a flow in human nature. However, when it is your personal data that has been lost or shared, it feels a lot more like negligence.
“Local authorities are losing the public’s trust as well as its data. What’s also surprising is that organisations don’t seem to be disciplining staff for these breaches.”
According to recent research by the Online Trust Alliance, almost one-third of data losses are caused by staff, whether maliciously or otherwise.
In this investigation, more than 5,000 letters were sent to the wrong address and almost 200 mobile phones, computers, tablets and UBS were lost or stolen.
Luke Brown of Digital Guardian said. “Human error is something that many organisations easily overlook when working with sensitive data, usually to their detriment. Looking within your organisation for potential threats to data security is imperative. This will become even more important once the proposed EU Data Protection Regulation comes into force.”
Big Brother Watch advocates that staff training should be “absolutely rigorous” and called for council workers to face jail over severe data breaches.
However a spokesperson from the LGA said councils take data protection “extremely seriously” and assured the group that “staff is given ongoing training in handling confidential data”. It added that breaches are rare and, when they do occur, “robust investigations are immediately undertaken”.
Brown reiterated that there are numerous available technologies “designed to combat human errors and more malicious insider threats”, adding that “small investments can go a long way”.
“It’s mystifying that local authorities aren’t taking more advantage of the solutions available. When technology that protects data at source is deployed, it removes many of the risk factors associated with human error.
“Sensitive data can be protected from unauthorised copying, deleting or viewing, meaning it is protected even if it is misplaced. Furthermore, staff quickly becomes aware of the impact of their actions, leading to rapid behavioural changes. Within just a month or two of deploying data-centric security solutions, organisations typically see a dramatic drop in staff-related data breaches as a result.”