Out-Law News 4 min. read
24 Nov 2011, 9:56 am
Figures obtained under freedom of information (FOI) laws showed that 132 local authorities had been involved in personal data loss incidents between 3 August 2008 and 3 August this year, according to a report by Big Brother Watch (BBW).
Under the UK's Data Protection Act it is unlawful for organisations in control of personal data to fail to take appropriate measures to guard against accidental loss or damage of that personal data. Extra protective measures have to be taken to ensure sensitive personal data such as information about children or health details is secure.
"Despite delivering sensitive services involving children, vulnerable people and those in receipt of various benefits, the research highlights how regularly personal information is lost by local authorities and the huge variation in data protection," BBW said in a statement.
The privacy campaigners said that 91% of local authorities had responded to its request for information about the loss of personal data by council employees and contractors during the three year period. It said the information gathered in its report (137-page / 1.95MB PDF) showed that "at least" 35 councils had lost personal data about children and people in care and that information about "at least" 3100 children, young people or students had been "compromised" in 118 cases.
Local authorities that responded to the FOI requests reported 244 laptops and portable computers, 98 memory sticks and more than 93 mobile devices lost or missing, BBW said.
The authorities reported 55 incidents of personal data loss to the UK's data protection watchdog – the Information Commissioner's Office (ICO), the group said. Nine incidents led to individuals losing their jobs, it said.
Councils in Buckinghamshire and Kent reported the most personal data breaches of any local authority with 72 incidents recorded in each county within the three year period, BBW said.
Nick Pickles, director of BBW, said that the information the group had uncovered showed that nearly a third of UK councils had "a shockingly lax attitude to protecting confidential information".
"The fact that only a tiny fraction of staff have been dismissed brings into question how seriously managers take protecting the privacy of their service users and local residents," Pickles said in a statement.
"For more than 3,000 children and young people to have their personal information compromised is deeply disturbing, as in most cases parents will not be aware of the incidents. However, equally concerning is that 263 local authorities claim to have not lost a single mobile phone or memory stick, which seems surprising given the scale of loss in other authorities and the private sector," he said.
"As just 55 of these incidents were reported to the Information Commissioner’s Office, there is a clear need for the ICO to have the power to audit organisations without needing their consent to ensure that the ICO is fully aware of data protection breaches. Despite having access to increasing amounts of data and being responsible for even more services, local authorities are simply not able to say our personal information is safe with them," Pickles said.
Under the Data Protection Act the ICO currently has the power to conduct compulsory data protection audits of central Government departments, but must obtain consent from organisations in other sectors before it can investigate their procedures. The ICO has long campaigned for these mandatory auditing powers to be extended. Last month it called for the right to conduct mandatory investigations into private sector businesses, health bodies and local Government authorities' data protection practices.
A spokesperson for the ICO said that the watchdog would submit a "business case" to the Ministry of Justice later this week in an attempt to obtain powers for mandatory auditing of local Government.
"It’s vital that local authorities properly live up to their legal responsibility to keep personal data secure, particularly where it is sensitive information about children and young people," the ICO spokesperson said.
"Four out of the six monetary penalties that we’ve issued so far have involved data losses at councils. Our concern isn’t just that councils have the right policies and procedures in place; it’s about bringing about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature. We’re calling for powers to conduct compulsory audits in the local government sector and will this week submit a formal business case to the Ministry of Justice asking the government to give us such powers," they said.
The ICO has the power to issue fines of up to £500,000 for serious breaches of personal data. It has previously said that it would not use new powers to fine organisations for data protection law breaches if those breaches are discovered as part of one of its audits.
Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that local Government bodies could save money and prevent personal data breaches occurring by participating in an ICO audit.
"A lack of funds in the public sector means that it is often the area where data security breaches occur," Wynn said.
"Local Government bodies just do not have the money to put technology in place that ensures compliance and it means that human errors, such as misdirecting sensitive emails, can occur and not be spotted," Wynn said.
"It would be better for the ICO to have the power to conduct a compulsory audit of local Government bodies in order to encourage compliance and spot potential security breaches. It may force those authorities at risk of security breaches to spend tens of thousands of pounds on new secure systems and procedures but this is likely to be less than what they could pay in fines and rectification costs as a result of data security breaches," she said.
In June the ICO issued Surrey County Council with a £120,000 fine for emailing information containing sensitive personal data to the wrong addresses.