Data protection: a necessity not a choice

In February, a town council in Devon was held to ransom by hackers demanding £3,000 in return for public data. With local authorities moving towards smarter, more digital services, Daniel Nesbitt, research director for Big Brother Watch, looks at the importance of local authority data security

There is no escaping it, we all live in a digital world. Whether you like it or not data about each of us is being generated, collected and used more than ever before - we are all now digital citizens. For local authorities this explosion of data creates new opportunities. Once it has been collected, information can be used to better target services and potentially improve efficiency.

Traditionally local authorities have held information about their citizens such as names, addresses, financial information and benefits records, data existing in order to provide specific services. But now, with a push towards Big Data analysis and the opportunity to embed technologies into our environments which can monitor our every move, it is likely that local authorities will want to access more and more data on residents. Indeed many councils are already exploring new ways of collecting and using data. Essex County Council, for example, is rolling out sensors for every street light in order to ‘track atmospheric data to traffic noise’ whilst Glasgow City Council claims to have over 370 different datasets available as part of its Future City programme. This new wave of data is allowing some authorities to begin exploring the idea of smart cities.

You can see how this all sounds exciting and revolutionary, but with increased data gathering comes increased responsibility, especially if the data relates to people, their movements, decisions, actions, behaviour or lifestyle choices. Not only is consideration of people’s privacy (even in public places) necessary, but consideration to the protection of any data collected if it relates to a person is absolutely critical. A data driven society must also be a data secure society and to be honest local authorities have a lot of work to do before they can be trusted with our basic data let alone the vast swathes of big data these new opportunities will create.

In 2015 we published the report A Breach of Trust. This report, based on Freedom of Information responses from UK local authorities, found that between 2011 and 2014 councils suffered over 4,000 cases where personal information of citizens was lost, stolen or misused. This worked out to be an average of four data breaches every week. The same report also found that data breaches could be divided into two categories; those which occurred by accident and those which were malicious, targeted actions.

The majority of breaches were purely accidental; for example laptops being mislaid or confidential files being left in public areas. The remainder, malicious breaches, involved examples such as the purposeful theft of data via an official stealing a memory stick and an external hacker breaking into a council’s system.

The lower figures in relation to malicious hacks may at this point seem reassuring but recent news reports have revealed that several councils have fallen victim to cyber-attacks. In February of this year it was reported that a clerk working for Tiverton Town Council mistakenly opened an email attachment containing a virus. The virus subsequently locked a number of files on the council system and resulted in hackers demanding £3,000 in return for releasing them. In a similar incident Lincolnshire County Council’s system was taken offline and the council was forced to pay attackers $500 in Bitcoin.

You may think these are one off examples of poor practice but don’t be fooled, hacks of this nature are on the rise, no one should be complacent about cyber attacks and no organisation should rest on their laurels when it comes to ensuring their systems are safe.

Why does this matter?
Well, it’s simple: if a council is found to have a poor track record of data protection citizens won’t trust them to keep their information safe. This will make utilising the plethora of new data much more difficult. To make matters more pressing the time when good data protection was a choice rather than a necessity is fast coming to an end. Clearly any local authority which wants to benefit from the opportunities of data needs to address the threats it brings first.

Of course nothing can entirely eradicate data breaches but we at Big Brother Watch have identified a range of steps which can be taken to improve data protection. To begin with councils should consider whether collecting large quantities of data is actually necessary. Just collecting and retaining the data you have a use for can make systems easier to manage, reduce the amount of data that could be stolen, lost or misused and could in turn help to reduce costs and target resources more effectively. By not creating unnecessarily large stores of data you reduce chances of producing a honeypot which could otherwise tempt hackers.

Obviously some data will need to be collected and stored and it is at this point that strong data protection will be necessary. Ensuring data is encrypted at all times (be it in transit or at rest in storage) should be top of any local authority’s to do list. This is not just the cry of a privacy campaigner, it is the cry of Government and the Information Commissioner as well.

The Department of Communities and Local has warned that: “Public bodies that fail to secure personal data will be investigated by the Information Commissioner and can expect a fine if found negligent.”

Be clear, this is not an idle threat; the Information Commissioner’s Office (ICO) has fined a number of councils for their poor approach to data protection. Hampshire County Council was fined £100,000 after it was found that confidential documents had been left behind by staff when they moved offices.
To tackle accidental data loss every member of staff with access to personal information should fully understand their role in keeping the data of citizens secure. This means having a high standard of data protection training available across all local authorities. Proper training will help ensure that staff members have a decent level of understanding of their responsibilities.

If local authorities are to effectively tackle the issues of data loss, misuse and theft it’s not enough to just protect against something happening; there must also be a commonality in reporting and responding to an incident. Currently what one council defines as a serious data breach may not be the same as another council. Citizens have to be able to see how well their council is protecting information. Without a common approach to reporting breaches some councils run the risk of looking much worse than others simply because they are stricter about recording incidents.

Similarly responses to data breaches need to be standardised. In some councils something as seemingly innocuous as failing to bcc an email results in a verbal warning whilst in others no action is taken. Some councils also suffer from this problem internally, Hammersmith and Fulham Council disciplined those responsible for two instances of ‘data loss’ but took no action in the 41 other cases it suffered. Both of these changes would remove the sense that people are dealing with a postcode lottery when it comes to ensuring their data is properly protected.

Caring about and actively protecting data is a live topic. Data protection is changing; in May 2018 the Data Protection Act 1998 will be updated with the General Data Protection Regulation (GDPR). The informed consent of citizens will have to be obtained before any data collection takes place. Key to gaining this consent will be proving you’re able to keep the data safe. For any council found to be taking a poor approach to data protection the maximum penalties will be much more serious. Instead of a £500,000 fine the most severe cases will be met with a fine of €20 million or four per cent of an organisation’s annual turnover, whichever is greater.

By taking account of our proposals we believe councils stand a better chance of being ready for May 2018 and the new data protection regime. Whilst this new data-driven age may well bring with it many benefits none of them matter if councils can’t properly protect information. Breaches can be damaging, regardless of whether they are accidental or malicious, but there are ways to guard against them. By taking a few simple steps sooner rather than later local councils will be well placed to take advantage of the opportunities of data, comply with the new data protection regime and win the trust of their citizens.