Local authorities still flagrantly disregard data protection laws in over 1,000 cases of negligent data loss
Local authorities have lost sensitive, personal data more than 1,000 times in three years, it has been revealed.
Negligence without consequence
According to the report, the group uncovered 1,035 separate incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care. Buckinghamshire, Kent and Essex, the top three offending authorities, experienced 206 incidents between them,while 263 authorities claim to have not lost a single item of data over the period.
The information, gathered using the Freedom of Information Act, received a response rate of 91 percent and showed that at least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.
“Despite these severe breaches,” said BBW, “Only 55 incidents were reported to the Information Commissioner’s Office, with just nine incidents having resulted in termination of employment.”
“With recent moves to allow local authorities to access more centrally-held personal information, for example, details on benefits and earnings, the amount of data potentially at risk continues to grow.”
Check Point’s UK MD Terry Greer-King said his company’s research data reflects similar findings. “We’ve surveyed the use of data encryption in UK public and private sector organisations every year since 2007, and encryption deployments have been consistently under 50 percent until now. Yet even in 2011, only 52 percent of respondents were using encryption to protect data on their laptops,” said Greer-King. “What’s more, 13 percent reported a breach from lost or stolen laptops, and a further 7 percent lost unencrypted USB sticks. With only half of firms actively protecting their devices and data, breaches will inevitably continue for some time yet.”
A novel solution
“But,” said BBW, “There are concrete changes that can be made to protect the privacy of personal information, including a greater use of Virtual Private Networks (VPNs) which would allow staff to work from home without requiring sensitive information to be stored on their own computers. This would also reduce the need for information to be held on council laptops, as information would be readily accessible from a remote location.”
The group also recommends a much stricter policy on the use of external data storage devices and the transfer of information to personal equipment, eliminating many of the incidents where data has been lost to thefts and carelessness.
“A serious cause for concern is that it is impossible to say whether local authorities operate a sufficiently robust data protection regime. This is an area of data protection that the Information Commission should strongly consider investigating more thoroughly. Without a power of compulsory audit, the ICO relies on voluntary disclosure and with such sensitive information at stake; this cannot be a satisfactory position,” said the group in its report.