A Breach of Trust: How Local Councils Commit Four Data Breaches Every Day

Our latest report, A Breach of Trust, reveals the scale of data breaches by local councils, including personal information being lost, stolen or used inappropriately. The report also highlights data breaches involving the details of hundreds of children

Key Findings

Results are for the years 2011 to 2014 unless otherwise stated. All data has been obtained under the Freedom of Information Act.

  • In a three year period 4,236 data breaches occurred in local councils, including at least:
    • 401 instances of data loss or theft
    • 628 instances of incorrect or inappropriate data being shared on emails, letters and faxes
    • 5,293 letters being sent to the wrong address or containing personal information not intended for the recipient [NB: In many cases, breaches involving a number of people are treated as a single breach by local councils.]
    • 197 mobile phones, computers, tablets and USBs were either lost or stolen.
  • On 658 occasions, children’s information was involved in the breaches.
  • 1 in 10 data breaches resulted in disciplinary action
    • 39 resignations
    • 50 dismissals
    • 1 court case – Southampton Council employee prosecuted by the ICO for transferring “highly sensitive data to his personal email account”

Policy Recommendations

Based on the report’s findings, Big Brother Watch propose a number of policy recommendations which would prevent and deter data breaches from occurring:

  1. The introduction of custodial sentences for serious data breaches.
  2. Where a serious breach is uncovered the individual should be given a criminal record.
  3. Data protection training should be mandatory for members of staff with access to personal information.
  4. The mandatory reporting of a breach that concerns a member of the public.
  5. Standardised reporting systems and approaches to handling a breach.

The extension of the ICO’s assessment notice powers to cover local authorities.

Notable Examples From The Report

Cheshire East: Inappropriate use of CCTV was reported. A CCTV operator watched part of the wedding of a member of the CCTV team. They were issued with a “Management instruction” on future use of equipment.

Lewisham Council: A social worker accidentally left a bundle of papers on the train. The bundle included personal and sensitive data relating to 10 children, including: names, addresses, date of birth, and third party information in relation to sex offenders, police reports and child protection reports. The individual involved resigned during disciplinary procedures.

Glasgow City Council: 75% of the 197 reported instances of loss or theft of equipment highlighted in Breach of Trust took place at Glasgow City Council.

Aberdeenshire City Council: An unencrypted laptop containing the details of 200 schoolchildren was stolen. The laptop was later recovered. No disciplinary action was taken but the matter was reported to the Information Commissioner’s Office.

Emma Carr, director of privacy campaign group Big Brother Watch, said:

“Despite local councils being trusted with increasing amounts of our personal data, this report highlights that they are simply not able to say it is safe with them.

A number of examples show shockingly lax attitudes to protecting confidential information. For so many children and young people to have had their personal information compromised is deeply disturbing.

With only a tiny fraction of staff being disciplined or dismissed, this raises the question of how seriously local councils take protecting the privacy of the public.

Far more could be done to prevent and deter data breaches from occurring. Better training, reporting procedures and harsher penalties available for the most serious of data breaches, including criminal records and custodial sentences are all required.  Until we see these policies implemented, the public will simply not be able to trust local councils with their data.”