Councils to blame for more than 100 data breaches in two years, says Information Commissioner

Local authorities were responsible for more than 100 of the 818 data security breaches that have been reported to the Information Commissioner’s Office since November 2007, it has been revealed.

In the last 12 months offending councils have included Lancashire County Council, Shropshire Council, Sandwell Metropolitan Borough Council and Wigan Council.

However, the ICO said that the NHS (with 240 reported breaches) and private companies (with 235) were responsible for the lion’s share of problems.

The ICO’s data reveal that, overall, mistakes accounted for 195 security breaches, while theft was responsible for 262 incidents – typically where information was held on an unencrypted portable device.

In local authorities, the main problems were stolen data or hardware, disclosure of data in error, and lost data or hardware.

The ICO said organisations should ensure that laptops and other devices are encrypted, and staff given adequate training on the risks. The watchdog also warned that it would impose tougher penalties on organisations that fail to report breaches that subsequently come to light.

The research comes as the ICO is on the brink of receiving new powers to impose fines of up to £500,000 for serious breaches of the Data Protection Act. The Information Commissioner is also soon to have the ability to conduct spot checks of central government departments.

David Smith, Deputy Information Commissioner, said: “In just over two months a further 100 organisations have reported data security breaches to us. We are keen to work with organisations to prevent breaches occurring in the first place and to help put things right when things do go wrong.

“Talking to us may of course result in regulatory action. However, organisations must act responsibly; those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions.”