Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

UK parliamentary watchdog bemoans inconsistent personal data breach reporting within government


New guidelines should be developed to help UK government departments report personal data breaches in a consistent fashion, a parliamentary watchdog has said.

The Public Accounts Committee (PAC) said (69-page / 542KB PDF) there are "major and unexplained variations in the extent to which individual departments report security breaches" at the moment, and urged the government to work with the UK's data protection authority to develop new guidelines on the issue.

"The Cabinet Office should consult with the Information Commissioner's Office to establish best practice reporting guidelines and issue these to departments to ensure consistent personal data breach reporting from the beginning of the 2017-18 financial year," the PAC said.

The PAC highlighted findings by the National Audit Office (NAO), which said last year that the 17 biggest UK government departments reported 14 data breaches to the ICO in 2014-15 and recorded a further 8,981 incidents they considered did not merit reporting to the watchdog.

More than two thirds of those incidents, 6,038, were recorded by HMRC, and 2,798 non-reported incidents were recorded by the Ministry of Justice. The other 15 departments were responsible for recording 145 non-reported incidents in total, and some government departments recorded "no non-reportable incidents at all", the PAC said.

"We are aware that numerous low-level breaches do occur, such as letters containing personal details being addressed to the wrong person; however these are not consistently recorded as data breaches," the PAC said. "Departments with a high reporting rate are likely to be better protected because they have developed a reporting culture to allow early identification of threats. Without a consistent approach across Whitehall to identifying, recording and reporting security incidents, the Cabinet Office is unable to make informed decisions about where to direct and prioritise its attention."

In its report, the PAC called on the Cabinet Office to draw up a "detailed plan" for the UK's new National Cyber Security Centre "setting out who it will support, what assistance it will provide and how it will communicate with organisations needing its assistance".

PAC also said that a "clear approach for protecting information" is needed across the entire public sector and its "delivery partners". The government should establish such an approach and "clearly communicate to all these bodies how its various policy and guidance documents can be of most use, including during a data breach incident", it said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.