Winchester Vacancies

Just 1 in 20 local authority data loss incidents reported to ICO, says report

Research into incidents of data loss at local authorities over a three-year period has revealed that just one in 20 were reported to the Information Commissioner’s Office, campaign group Big Brother Watch has claimed.

The ICO has meanwhile revealed it will this week submit a formal business case to the Ministry of Justice asking for the power to conduct compulsory audits in the local government sector.

Big Brother Watch put in freedom of information requests to 434 local authorities. Of these, 132 acknowledged data losses and 298 said there had been no incidents.

A total of 1,035 incidents were reported, of which 55 led to the ICO being notified.

The report, Local authority data loss, also revealed that:

  • At least 35 councils had lost information about children and those in care
  • The information of at least 3,100 children, young people or students was compromised in 118 cases
  • Some 244 laptops and portable computers had been lost
  • A minimum of 98 memory sticks and more than 93 mobile devices had gone missing.

The report revealed that only nine incidents had resulted in termination of employment.

Big Brother Watch said: “This report highlights how, despite data protection law, not enough is being done to ensure sensitive information is held securely and protected.”

The report identified the “top ten worst offending authorities” as:

  1. Buckinghamshire (72 incidents)
  2. Kent (72)
  3. Essex (62)
  4. Northamptonshire (48)
  5. North Yorkshire (46)
  6. Renfrewshire (41)
  7. West Sussex (36)
  8. Tower Hamlets (31)
  9. Telford and Wrekin (30)
  10. Cornwall (25)

The incidents catalogued included scanned case notes relating to children being placed on Facebook, documents being lost in a pub, and a USB stick containing confidential data regarding children in care being left in the street.

Big Brother Watch said: “It is important that steps be taken to prevent further breaches through training and clear policies, but also that proper sanctions are in place when they do occur.

“Our research suggests that neither of these concerns is being adequately dealt with and while incidents have resulted in policies being changed – particularly around encryption – the different approaches seen across the country suggest a worryingly inconsistent and unpredictable approach to data protection across local authorities.”

The group said the high number of authorities reporting no incidents suggested that there were different internal thresholds for reporting and logging incidents.

An ICO spokeswoman said: “It’s vital that local authorities properly live up to their legal responsibility to keep personal data secure, particularly where it is sensitive information about children and young people. Four out of the six monetary penalties that we’ve issued so far have involved data losses at councils.

“Our concern isn’t just that councils have the right policies and procedures in place; it’s about bringing about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature. We’re calling for powers to conduct compulsory audits in the local government sector and will this week submit a formal business case to the Ministry of Justice asking the government to give us such powers.”

Philip Hoult