The report which can be downloaded from the Big Brother Watch website and an associated blog post make for some sobering reading. The blog highlights what it terms four notable examples from the report:
- Cheshire East: Inappropriate use of CCTV was reported. A CCTV operator watched part of the wedding of a member of the CCTV team. They were issued with a “Management instruction” on future use of equipment.
- Lewisham Council: A social worker accidentally left a bundle of papers on the train. The bundle included personal and sensitive data relating to 10 children, including: names, addresses, date of birth, and third party information in relation to sex offenders, police reports and child protection reports. The individual involved resigned during disciplinary procedures.
- Glasgow City Council: 75% of the 197 reported instances of loss or theft of equipment highlighted in Breach of Trust took place at Glasgow City Council.
- Aberdeenshire City Council: An unencrypted laptop containing the details of 200 schoolchildren was stolen. The laptop was later recovered. No disciplinary action was taken but the matter was reported to the Information Commissioner’s Office.
These are far from the only examples given in the report which devotes 182 pages to list the various breaches by councils. While 98% of councils responded to the Freedom of Information Act that Big Brother Watch sent out not all provided information or admitted to any breaches. Reasons for not responding range from:
- Cost and Time
- Information not held in a retrievable format
- Information not held
On top of this some councils chose not to respond while a number claimed that they had suffered no data breaches at all over the four year period. This latter group consisted of 167 authorities or 38% of those asked for data. Given the four year time span covered by the request and the type of offences listed by those who did respond, it would appear that there is a significant difference between councils as to what constitutes a reportable data breach.
Emma Carr, director of privacy campaign group Big Brother Watch, said: “Despite local councils being trusted with increasing amounts of our personal data, this report highlights that they are simply not able to say it is safe with them. A number of examples show shockingly lax attitudes to protecting confidential information. For so many children and young people to have had their personal information compromised is deeply disturbing.
“With only a tiny fraction of staff being disciplined or dismissed, this raises the question of how seriously local councils take protecting the privacy of the public. Far more could be done to prevent and deter data breaches from occurring. Better training, reporting procedures and harsher penalties available for the most serious of data breaches, including criminal records and custodial sentences are all required. Until we see these policies implemented, the public will simply not be able to trust local councils with their data.”
Data breach a disciplinary offence?
In some councils there appears to be a strong data protection approach. East Sussex reported 18 data breaches. One led to a dismissal, 12 were disciplined internally while just 4 resulted in no disciplinary action. By comparison Essex reported 106 data breaches with no dismissals and 95 offences not being detailed and resulting in no disciplinary action.
The wide differences in how councils report and deal with data breaches is a significant cause for concern. There are cases highlighted in the report where councils and other organisations have taken different views on what constitutes a breach and what action should be taken.
The data provided shows that very few of the data breaches resulted in them being reported to the Information Commissioners Office (ICO). Yet it is possible to find similar data breaches at different councils where some made a report and others did not. There is a case here for the abandoning of the current self policing of incidents and a more rigorous approach by the ICO. Whether that should also include the ICO being involved in disciplinary action is debatable but there has to be more consistency of reporting of serious incidents.
Disciplinary measures not only differ between councils but when reading through the list of offences committed at councils, it is clear that there is no consistent set of punishments. While the majority verdict is No Disciplinary Action where any action was taken the vast majority are recorded as Disciplined Internally. What this actually means is open to interpretation. Was it a ticking off? Were staff asked sent on refresher courses on how to handle data? Was anyone demoted or fined?
What we do know is that just 2.1% of data breaches led to either a dismissal (50) or resignation (39). In many of these cases the offence appears to have been a breach of the Data Protection Act. Surprisingly there is no evidence of anyone being prosecuted and gaining a criminal record. Instead, councils have allowed members of staff to resign during an investigation presumably because at that point it all goes away.
It will be interesting to see if the ICO is now willing to take a closer look at every one of those resignations and dismissals to see if further action is warranted and whether there should have been a referral to the police.
Technology the main route by which data breaches occurred
Far too many of the incidents seem to be related to email and data being sent to the wrong person. While councils have spent a lot of money on technology over the past two decades, it is apparent that they need to revisit where they are spending their money. There are plenty of tools that will enable them to set privacy protection on data and prevent it being sent outside the organisation.
The amount of lost and unencrypted technology is also a concern. It appears that the vast majority of lost or stolen devices were not encrypted or protected in any way. Given the number of high profile losses and the awareness of encryption in both the private and public sectors, each of these incidents raises questions over the approach to security inside councils.
A lack of staff training a major concern
Technology cannot be seen as a magic bullet. Many of the issues in this report are procedural and this is about staff education. This is an area where councils like many businesses have sought to reduce their spending over the last decade. At the most basic level, staff in may councils struggle to get training on the software packages they use each day. When it comes to data protection there are very few companies in both the private and the public sector that provide staff with anything like adequate education.
The Local Government Authority who should be providing guidance to its members has no information on what constitutes an adequate level of basic data security training. This cannot be seen as anything other than a major gap in data protection and is something that needs to be addressed, especially in light of this report by Big Brother Watch.
As with all Big Brother Watch reports, it provides a set of policy recommendations to help solve the problem. The six key recommendations are:
- A custodial sentence should be an available punishment for serious data breaches
- Serious data breaches should result in a criminal record.
- Data protection training within local government should be mandatory.
- The mandatory reporting of a breach that concerns a member of the public.
- Standardised report systems and approaches to handling a breach.
- The extension of the ICO’s assessment notice powers to cover local authorities.
Further detail on what Big Brother Watch is calling for can be found in the report.
At an average of four data breaches per day, a number that is probably under reported given 38% of councils failed to respond, local councils are a shambles when it comes to protecting public data. Everyone accepts that they are under pressure to reduce spending as grants from central government continue to be reduced. However that does not excuse the lack of awareness or basic data protection that this report exposes.