Feeds

Councils 'fessed up to just 55 of 1,035 data loss shockers

Watchdog kept in the dark by town halls, wants new powers

Choosing a cloud hosting partner with confidence

The scale of data-handling gaffes at local authorities has been revealed by a new report that uncovered 1,035 incidents where confidential information about British citizens was lost.

Privacy campaign group Big Brother Watch (BBW) submitted 433 Freedom of Information Act requests to councils across the UK that covered a three-year period from August 2008 to August 2011.

The FOIs asked the authorities to report the number of cases where sensitive information had been lost by council staff, as well as explain the nature of the data loss. BBW also requested details about how many employees had been subsequently disciplined, sacked or prosecuted for such data breaches - and it asked what response each council had given to individual incidents.

In total, the campaigners received 395 replies from local authorities.

"We have uncovered more than 1,000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care," said BBW in a statement accompanying its report (PDF).

"Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing."

Despite that, BBW found that local authorities only reported a paltry 55 incidents to the Information Commissioner's Office, which handles data loss complaints.

The group added that only nine incidents – where data was mishandled by council staff – resulted in the individuals concerned being sacked.

“I welcome this research by Big Brother Watch," local government minister Grant Shapps told the data protection advocates.

"This reinforces the need for steps to protect the privacy of law-abiding local residents. Civil liberties are under threat from the abuse of town hall surveillance powers, municipal nosy parkers rummaging through household bins and town hall officials losing sensitive personal data on children in care.”

Here's a snapshot of some of the data losses uncovered by BBW, where the incidents weren't subsequently reported to the ICO:

  • In Bolton a smartphone "slid off a car bonnet" and was said to be "irretrievable without dismantling the car park". The authority said the phone contained internal contact details of Bolton council workers. It said the "phone was sent a remote wipe command within one hour and the owner of the car park subsequently sealed the cavity with concrete."
  • Schoolchildren's ID cards in Fife were delivered by post to the wrong addresses, the Scottish authority admitted. It said personal data that may have been leaked included pupils' names, photos, and possibly their dates of birth, as well as information about entitlement to free school meals. However, no action was taken, other than staff visual checks on all cards swiped by pupils at the school.
  • In Kent, scanned case notes relating to children were found on Facebook. They contained data that would identify individuals, the council admitted. The authority contacted the police and the director of children's social service was also informed about the incident.

The Register asked the ICO to respond to BBW's findings. It said:

It's vital that local authorities properly live up to their legal responsibility to keep personal data secure, particularly where it is sensitive information about children and young people.

Four out of the six monetary penalties that we've issued so far have involved data losses at councils.

Our concern isn't just that councils have the right policies and procedures in place; it's about bringing about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature.

We're calling for powers to conduct compulsory audits in the local government sector and will this week submit a formal business case to the Ministry of Justice asking the government to give us such powers.

The watchdog pointed us at its own list of local authority data cock-ups where "enforcement action" was taken over the past two years. ®

Security for virtualized datacentres

More from The Register

next story
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.