Winchester Vacancies

Serious data protection breaches double in two years, ICO report reveals

The number of serious data protection breaches reported to the Information Commissioner’s Office has almost doubled in just two years, the watchdog’s annual report has revealed.

There were 603 reports of serious data breaches in 2010/11, compared to 464 in 2009/10 and 319 in 2008/09.

With 146 reports, local government was responsible for almost a quarter (24%) of the data breaches referred to the ICO in the last year. However, both the private sector and the NHS were responsible for more incidents. The private sector accounted for 186 reports (31%), while the health service provided 165 (27%).

The annual report also revealed that the number of freedom of information cases referred to the ICO rose 17% to 4,374 in 2010/11.

Other key findings from the report include:

  • The ICO closed 4,369 FOI cases in 2010/11, up 4% from 4,196
  • At the start of the year, the ICO had 117 FOI complaints over a year old. This was reduced to three by the end of 2010/11. The ICO also had 47 cases over nine months old by the end of the year, compared to 176 in 2009/10 – a drop of 73%. There were 179 cases over six months, down 39% from 294
  • The average age of FOI cases in days was 97, down from 31% from 140
  • The outcomes of cases for FOI casework finished in 2010/11 were: informally resolved (47%); decision notice served (20%); ineligible or not section 50 (17%); no internal review (7%); reopened pending final outcome (7%); no action required by the ICO or complaint withdrawn by applicant (2%)
  • Local government was responsible for 44% of complaints in relation to freedom of information. The sector was followed by central government (30%); police and criminal justice (9%); health (9%); education (7%); and private companies (1%).
  • The outcome of FOI complaint casework where a decision notice was served was: complaint upheld in 215 cases (26%); complaint not upheld in 369 cases (45%); and complaint partially upheld in 233 cases (29%)
  • The data protection casework received by the ICO fell 21% to 26,227 (from 33,234 in 2009/10)
  • The ICO closed 29,685 data protection cases in 2010/11, down 9%
  • The work in progress at 31 March 2011 was 3,558, compared to 7,251 cases at 1 April 2010
  • There were just nine data protection cases over nine months old, compared to 212 the year before. There were 137 cases over six months old, down 84% on the 894 in 2009/10
  • The average age of data protection cases in days in 2010/11 was 60, down from 89 the previous year.
  • The outcomes of cases for data protection casework finished in 2010/11 were: advice and guidance provided (44%); breach likely (23%); ineligible complaint (19%); breach unlikely (12%); and reopened pending final outcome (2%)
  • The top 10 areas generating most complaints where sector was specified were: lenders (13%); general business (11%); direct marketing (9%); local government (7%); health (6%); central government (5%); telecoms (5%); policing and criminal records (5%); debt collectors (3%); and internet (3%)
  • The top 10 reasons for complaining were: subject access (28%); inaccurate data (15%); disclosure of data (12%); phone calls – automated (9%); phone calls – live (9%); security (7%); email (6%); SMS (3%); right to prevent processing (2%); and fair processing information not provided (2%)
  • The number of cases closed with a decision notice under the Freedom of Information Act and Environmental Information Regulations was 817, up from 628 in 2009/10.
  • There were 202 appeals against the ICO’s decisions. Of these 84% were made by complainants (170) and 16% by public authorities (32).
  • The Information Tribunal determined 155 appeals in 2010/11. The outcomes were: dismissed (35%); withdrawn (21%); part allowed (15%); struck out (15%); consent order (8%); allowed (4%); and invalid (2%).

In the foreword to the annual report, the Information Commissioner, Christopher Graham, said he welcomed measures in the Protection of Freedoms Bill that were designed to strengthen the independence of the ICO. However, he warned that there was “still work to be done to complete the framework”.

Graham acknowledged that the watchdog would have shoulder its share of the burden of spending cuts.

“We continue to strive to find efficiencies and to deliver ‘better for less’,” he said. “But, with growing demand for our services, finding savings is a struggle. Where we are asked to take on new responsibilities we will need additional resources to carry out the work.”

The Information Commissioner said that, longer term, it may be time to question the current arrangement of separate funding for data protection and freedom of information activities. “It makes less and less sense to fund freedom of information out of grant-in-aid and data protection out of notification fees, and never the twain shall meet,” he said.

Graham argued that the independence and the effectiveness of the ICO would be better secured by more flexible funding arrangements. “As well as liberating the ICO from the apron strings of the Ministry of Justice, we may need to find alternatives to the purse strings of HM Treasury,” he continued. “Such an arrangement would also show government commitment to protecting information rights and to the value of an independent overseer.”

Philip Hoult