A staggering 4,236 data breaches occurred in local councils in a three year period, a damning report by the Big Brother Watch has revealed.
The report, dubbed A Breach of Trust, revealed the scale of data breaches by local councils, and in the three year period from April 2011 to April 2014, it found that there were at least 401 instances of data loss or theft, and 628 instances of incorrect or inappropriate data being shared on e-mails, letters and faxes, and in one instance in Cheshire East, a CCTV operator watched part of the wedding of a member of the CCTV team.
It also found that more than 5,000 letters had been sent to the wrong address, which had contained personal information not intended for the recipient – the number was higher than the 4,236 overall data breaches because in many cases breaches involving a number of people were treated as a single breach by local councils.
Big Brother Watch found that nearly 200 mobile phones, computers, tablets and USBs were either lost or stolen, and on 658 occasions, children’s information was involved in the breaches.
But despite the astounding number of data breaches, only one in 10 resulted in disciplinary action. That included 39 resignations, 50 dismissals and one court case which involved a Southampton Council employee who was prosecuted by the Information Commissioner’s Office (ICO) for transferring “highly sensitive data to his personal e-mail account.
Another individual decided to resign from his role as a social worker at Lewisham Council after leaving a bundle of papers on the train which included personal and sensitive data relation to 10 children including third party information in relation to sex offenders, police reports and child protection reports. Emma Carr, director of Big Brother Watch, with only a tiny fraction of staff being disciplined or dismissed, it raised the question of how seriously local councils take protecting the privacy of the public.
Big Brother Watch propose a number of policy recommendations which it hopes would prevent and deter data breaches from occurding, including the introduction of custodial sentences for serious data breaches, and a criminal record for individuals involved in a serious breach.
It says that data protection training should be mandatory for members of staff with access to personal information, and that it should be mandatory to report a breach that concerns a member of the public. Furthermore, the organisation wants standardised reporting systems and approaches to handling breach in place.
“Until we see these policies implemented, the public will simply not be able to trust local councils with their data,” said Carr.
She said that for so many children and young people to have had their personal information compromised is “deeply disturbing”, and said that many of these examples showed “shockingly lax attitudes in protecting confidential information”.
The privacy campaign group also notes that it wants the extension of the ICO’s assessment notice powers to cover local authorities.