Councils 'fessed up to just 55 of 1,035 data loss shockers
Watchdog kept in the dark by town halls, wants new powers
The scale of data-handling gaffes at local authorities has been revealed by a new report that uncovered 1,035 incidents where confidential information about British citizens was lost.
Privacy campaign group Big Brother Watch (BBW) submitted 433 Freedom of Information Act requests to councils across the UK that covered a three-year period from August 2008 to August 2011.
The FOIs asked the authorities to report the number of cases where sensitive information had been lost by council staff, as well as explain the nature of the data loss. BBW also requested details about how many employees had been subsequently disciplined, sacked or prosecuted for such data breaches - and it asked what response each council had given to individual incidents.
In total, the campaigners received 395 replies from local authorities.
"We have uncovered more than 1,000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care," said BBW in a statement accompanying its report (PDF).
"Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing."
Despite that, BBW found that local authorities only reported a paltry 55 incidents to the Information Commissioner's Office, which handles data loss complaints.
The group added that only nine incidents – where data was mishandled by council staff – resulted in the individuals concerned being sacked.
“I welcome this research by Big Brother Watch," local government minister Grant Shapps told the data protection advocates.
"This reinforces the need for steps to protect the privacy of law-abiding local residents. Civil liberties are under threat from the abuse of town hall surveillance powers, municipal nosy parkers rummaging through household bins and town hall officials losing sensitive personal data on children in care.”
Here's a snapshot of some of the data losses uncovered by BBW, where the incidents weren't subsequently reported to the ICO:
- In Bolton a smartphone "slid off a car bonnet" and was said to be "irretrievable without dismantling the car park". The authority said the phone contained internal contact details of Bolton council workers. It said the "phone was sent a remote wipe command within one hour and the owner of the car park subsequently sealed the cavity with concrete."
- Schoolchildren's ID cards in Fife were delivered by post to the wrong addresses, the Scottish authority admitted. It said personal data that may have been leaked included pupils' names, photos, and possibly their dates of birth, as well as information about entitlement to free school meals. However, no action was taken, other than staff visual checks on all cards swiped by pupils at the school.
- In Kent, scanned case notes relating to children were found on Facebook. They contained data that would identify individuals, the council admitted. The authority contacted the police and the director of children's social service was also informed about the incident.
The Register asked the ICO to respond to BBW's findings. It said:
It's vital that local authorities properly live up to their legal responsibility to keep personal data secure, particularly where it is sensitive information about children and young people.
Four out of the six monetary penalties that we've issued so far have involved data losses at councils.
Our concern isn't just that councils have the right policies and procedures in place; it's about bringing about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature.
We're calling for powers to conduct compulsory audits in the local government sector and will this week submit a formal business case to the Ministry of Justice asking the government to give us such powers.
The watchdog pointed us at its own list of local authority data cock-ups where "enforcement action" was taken over the past two years. ®
Sponsored: 2016 Cyberthreat defense report