A breach of trust for local authorities?

In August, privacy campaign group Big Brother Watch revealed that local authorities recorded 4,236 data breaches over a three year period. Government Business analyses aspects of the report and asks whether the data we submit is really secure?

In an ongoing attempt to achieve optimum efficiency and the ultimate customer service, people are handing over more and more personal data to local authorities. While this presents an immediate risk, it is done with an expectancy that our information will he kept safe and secure, and will only be made accessible to those who are appropriately trained and in a position in which they need access.

However, this is not always the case. A report by Big Brother Watch, ’A Breach of Trust’, has shown that between April 2011 and April 2014 there were at least 4,236 data breaches. A previous Big Brother Watch report, ‘Local Authority Data Loss’, reported that between July 2008 and July 2011 there were over 1,035 data breaches. The increase between the two four year periods is quite substantial, and is a major cause for concern.

Findings
Of the data breach findings from April 2011 to April 2014, 401 instances of data loss or theft were recorded, with 628 instances of incorrect or inappropriate data being shared on emails, letters and faxes. This included 5,293 letters which were sent to the wrong address or contained personal information not intended for the recipient. A remarkable 75 per cent of the reported instances of loss or theft of equipment in the report took place at Glasgow City Council.

Additionally, there were 159 instances of data being shared with a third party, 99 cases of unauthorised people accessing or disclosing data and a concerning 658 instances where children’s personal data was involved in a data breach. In Aberdeenshire City Council, an unencrypted laptop containing the details of 200 school children was stolen. While the laptop was eventually recovered, no disciplinary action was taken.

Which leads to another worrying statistic. The report states that 68 per cent of cases investigated involved no disciplinary action. Furthermore, where action was taken on data breaches, a minor 2.1 per cent resulted in resignation or dismissal, and only one court case relating to data protection has taken place. Until proper punishments for the misuse of personal information is implemented the problem possesses the potential to grow further still, especially considering how the gathering of data increases year on year with new technologies and a move to paperless systems.

Data Protection Act
The Data Protection Act (DPA) states that whenever information is collected it should be done so for ‘legitimate purposes’ and when used it should not adversely affect the individuals it relates to. Whilst the DPA’s aims are laudable its effectiveness is undermined by Section 55, which covers the unlawful obtaining and disclosure of personal information. Big Brother Watch has repeatedly called for custodial sentences, rather than solely fines, to be introduced to provide a real deterrent to those who misuse personal information.

Whilst fines may, at first, appear to be a strong deterrent, on closer inspection it is clear that they have not reduced data breaches or indeed raised awareness amongst staff and organisations of the severity of data loss or data breach. For example, Glasgow City Council was fined £150,000 following the theft of two unencrypted laptops which held 20,143 names and addresses along with the bank details of over 6,000 people. This may sound substantial but when set against the scale of the breaches repeatedly committed by the Council it quickly loses its impact. It is worth noting that the Council has revealed a further 74 unencrypted laptops which are unaccounted for.

A further failing of the DPA is that data protection breaches are classed as civil offences. Anyone who knowingly commits a breach will not receive a criminal record. This raises the potential for an individual to gain further employment that allows them to access personal information, despite the fact they have been punished for committing a data protection offence in a previous job. Until the gaps in the system are addressed, breaches will continue to occur. In its current form the DPA doesn’t represent a workable deterrent to those who are intent on illegally obtaining and disclosing personal information.

According to the findings, 167 (38 per cent) of all local authorities reported no data breaches between 2011 and 2014. It is probable that local authorities are using different criteria to determine what is and what isn’t a breach, which is unhelpful. It creates a false impression of the scale of the problem and opens some local authorities (which may have stricter reporting criteria) to unfair criticism when compared to others.

Additionally, it is often the case that similar breaches are met with wildly differing responses. Hammersmith and Fulham met two instances of ‘data loss’ with disciplinary action but allowed a further 41 to be treated with no further action. One stand-out example is the decision of Welwyn Hatfield Council to give an employee a verbal warning because they failed to bcc an email, whilst others such as Wyre Council took no action. This is a case that would merit a more restrained approach than disciplinary action.

Further issues are raised by the large number of cases where no information was provided. This was mainly because the information itself wasn’t held. A lack of information on what breaches have taken place make it very difficult to ensure that lessons have been learned.

Policy recommendations
Big Brother Watch proposes a number of policy recommendations which would help to deter wrongful access of personal information, reduce accidental breaches and improve the level of standardisation across local authorities.

Firstly, they argue that a custodial sentence should be an available punishment for serious data breaches, as current penalties for serious data breaches do not deter individuals who are seriously considering breaking the law. Judges presented with serious data breaches should be able to hand out custodial sentences if the perpetrator is found guilty of a serious breach.

Secondly, serious data breaches should result in a criminal record. Individuals who carry out a serious data breach are not subject to a criminal record. An individual could therefore resign or be dismissed by an organisation only to seek employment elsewhere and potentially commit a similar breach. In organisations which deal with highly sensitive data, knowing the background of an employee is critical.

Moreover, data protection training within local government should be mandatory, as knowingly breaching the Data Protection Act (DPA) is only part of the issue. Concerns exist at the ease with which a breach can unwittingly occur due to poor training and management. This can be avoided by ensuring that anyone who works with personal information is comprehensively aware of their responsibilities and the proper procedures.

The report campaigns that policy should be changed regarding the mandatory reporting of a breach that concerns a member of the public. When we give information to a local authority we expect it to be properly protected. When this fails to happen we should have a right to know why. It is important that whenever a breach occurs the people involved are informed as soon as possible. This will allow the individual to take action to mitigate the breach.

The research shows that there is no standardised response for a local authority when dealing with a breach, raising postcode lottery concerns. To remove confusion and improve confidence it is important that all local authorities act in the same way to prevent data breaches from occurring and respond when they do occur.

Further Information
bigbrotherwatch.org.uk