In August 2015 Big Brother Watch published a report it entitled A Breach of Trust. That report claims that between April 2011 and April 2014 there have been at least 4,236 data breaches comprising 401 instances of loss or theft, including 197 mobile phones, computers, tablets and USBs; 628 instances of incorrect or inappropriate data being shared on emails, letters and faxes; and 5,293 letters being sent to the wrong address or containing personal information not intended for the recipient.
The report says that these data breaches resulted in 39 resignations, 50 dismissals and 1 court case, (arising from an employee transferring “highly sensitive data to his personal email account”).
Some of the instances from the report are:
- Cheshire East: Inappropriate use of CCTV. A CCTV operator watched part of the wedding of a member of the CCTV team.
- Lewisham Council: A social worker accidentally left a bundle of papers on the train. The bundle included personal and sensitive data relating to 10 children, including: names, addresses, date of birth, and third party information in relation to sex offenders, police reports and child protection reports.
- Glasgow City Council: 75% of the 197 reported instances of loss or theft of equipment highlighted in Breach of Trust took place at Glasgow City Council.
- Aberdeenshire City Council: An unencrypted laptop containing the details of 200 schoolchildren was stolen.
Based on these findings, Big Brother Watch proposes a number of policy recommendations, which it says would prevent and deter data breaches from occurring:
- The mandatory reporting of a breach that concerns a member of the public
- Data protection training should be mandatory for members of staff with access to personal information
- The introduction of custodial sentences for serious data breaches
- Where a serious breach is uncovered the individual should be given a criminal record
- Standardised reporting systems and approaches to handling a breach
It is fair to say that the report has attracted some criticism with allegations that on analysis the vast majority of the breaches were ‘minor’ and that some statistics in report are misleading because 212 local authorities either declined to provide any information to Big Brother Watch or reported no breaches.
One critic even claimed that the report was almost worthless because the methodology used was, in his opinion, fundamentally flawed.
Whether the report is flawed or not, it goes without saying that data security and data protection in local authorities is extremely important and the report does seem to reveal some very concerning incidents. Perhaps the last word should go to Emma Carr, director of privacy at Big Brother Watch. She said:
“A number of examples show shockingly lax attitudes to protecting confidential information…With only a tiny fraction of staff being disciplined or dismissed, this raises the question of how seriously local councils take protecting the privacy of the public.
Far more could be done to prevent and deter data breaches from occurring. Better training, reporting procedures and harsher penalties available for the most serious of data breaches, including criminal records and custodial sentences are all required”.