Privacy group reports alarming data breach statistics in public sector

Big Brother Watch reported alarming data breach statistics at local councils, which may be just the tip of the iceberg.

Local councils have suffered more than 1,000 data breaches in the last three years, according to research carried out by the lobbying group Big Brother Watch, and data suggests the real figure could be a lot bigger.

Even in 2011,
only 52% of respondents 
were using 
to protect 
data on 
their laptops.

Terry Greer-King
Check Point Software Technologies

Data breach statistics from a new report published by the London-based privacy advocacy group show that of the 1,035 incidents reported by 132 local authorities, at least 244 laptops and portable computers were lost. In addition, at least 98 memory sticks and more than 93 mobile devices went missing.

The researchers also investigated how local councils responded to the breaches. Only 55 of the incidents were actually reported to the Information Commissioners Office (ICO), and nine of the cases resulted in the person responsible losing their job.

The group sent requests under the Freedom of Information Act to 434 local councils, asking them about any information breaches they had suffered between August 2008 and August 2011.  It received responses from 395 councils -- a response rate of 91%. 

Only a third (132) of the councils reported breaches, while the remaining 263 authorities claimed they had had no data losses at all. “It does seem surprising that in 263 local authorities, not even a single mobile phone or memory stick was lost,” the group said in the report, suggesting the reason for this disparity may be because councils may have different internal thresholds for reporting and logging data losses.

The councils with the highest level of reported breaches were Kent and Buckinghamshire (72 apiece), followed by Essex (62), Northamptonshire (48) and North Yorkshire (46).

Most of the breaches were accidental, such as USB sticks being lost, emails sent to the wrong address, or laptops stolen from parked cars; some involved paper files going astray.

However, some of the cases involved deliberate action, such as former employees stealing data when they had been dismissed, disclosing information to unauthorised third parties and information being accessed without proper cause. In one case in Kent, scanned case notes relating to children were uploaded to Facebook.

Roger Gough, cabinet member for business strategy, performance and health reform at Kent County Council (KCC), claimed in a statement that his county had come out badly because of its size. "It is no surprise that we come out on top as we are the largest shire authority in the country, which means we handle a proportionally larger amount of information,” he said.

Gough also took issue with the Facebook case. “The Facebook example cited was the  result of a family member posting scanned images of social service case notes (obtained via court proceedings) onto the Web. The Information Commissioner's Office considered KCC blameless in that case,” he said.

The Big Brother Watch report recommended councils make better use of virtual private networks, so staff working from home would not be tempted to load information on USB sticks and then transfer it to their own computers.

It also suggests a much stricter policy on the use of external data storage devices and the transfer of information to personal equipment, which would eliminate many of the incidents of data loss due to thefts and carelessness.

In a separate, written statement issued at the same time as the report, Big Brother Watch said: “The growing volume of personal information held by local authorities is a significant threat to personal privacy and civil liberties. This report highlights how, despite data protection law, not enough is being done to ensure sensitive information is held securely and protected.”

Security companies were quick to offer their views on the report. Terry Greer-King, UK managing director of Check Point Software Technologies with international headquarters in Tel Aviv, Israel, blamed the poor uptake of encryption on local authorities. “We’ve surveyed the use of data encryption in UK public and private sector organisations every year since 2007, and encryption deployments have been consistently under 50% until now," Greer-King said. "Even in 2011, only 52% of respondents were using encryption to protect data on their laptops."

David Fowler, senior VP of products and marketing for identity management company Courion in Manchester, said closer monitoring of who has accessed information would help control the problem. “Public organisations need to create a culture of shared responsibility for data security among their employees,” Fowler said. “To achieve that, they need effective security policies and access risk management solutions that enable organisations to maintain control of who is accessing sensitive information and how it is being used.”

Chris Mayers, chief security architect at Santa Clara, Calif.-based Citrix Systems Inc., said councils need to apply a risk-based approach to guarding sensitive data. “IT needs to be able to enable different classes – or risk levels – of data to be handled securely, but with a solution that won’t unduly restrict access or productivity,” Mayers said. “When budgets are constrained, this will be achieved through spending money on technology that is proportionate to the risk involved and tiering access accordingly.”

Earlier this year, Big Brother Watch carried out similar research into the NHS and police authorities and found a similar catalogue of problems, including incidents of patient information and medical records being shared on social networking sites, and police officers and staff abusing their access to sensitive data.

Read more on Data breach incident management and recovery