Local councils in the UK suffered 1,035 data breaches since 2008, but only 53 were reported to the Information Commissioner’s Office (ICO), according to a report released today by Big Brother Watch.
The civil liberties campaign group sent Freedom of Information Act requests to every local authority in the UK, requesting disclosure of all data breaches that took place between August 2008 and August 2011. It received responses from 395 (91%) authorities.
There were 1,035 data breaches duting the time period, it discovered, affecting 132 local authorities, including 35 that lost information relating to children or people in care.
Cross-checking against the ICO’s records revealed that just 53 (5%) had been reported to the data protection watchdog.
In total, at least 244 laptops, 98 memory sticks and 93 mobile devices went missing. Other breaches included sending emails or letters containing sensitive data to the wrong recipient, phishing attacks, and loss of hard-copy council documents.
Buckinghamshire and Kent were the authorities with the most data loss incidents, with cases 72 each. However, Big Brother Watch concluded from the fact that some councils reported zero data breaches that authorities are using different definitions of data loss.
There were nine dismissals or resignations as a result of data protection lapses, with offences ranging from accessing benefits information without permission, to the loss of a single CD. "The fact that only a tiny fraction of staff have been dismissed brings into question how seriously managers take protecting the privacy of their service users and local residents," said Big Brother Watch director Nick Pickles.
The largest data loss occurred at Birmingham City Council, where a USB stick containing the names, addresses, contact details and ethnic origin of 64,000 residents was lost. The responsible member of staff resigned.
Commenting on the report, an ICO spokesperson said that data protection was particularly important for councils handling information about children. "It’s vital that local authorities properly live up to their legal responsibility to keep personal data secure, calling for councils to go beyond putting the correct policies in place, and to develop a culture which takes data protection seriously.
"Four out of the six monetary penalties that we’ve issued so far have involved data losses at councils," the spokesperson added.
Big Brother Watch said that there is a "clear need for the ICO to have the power to audit organisations without needing their consent to ensure that the ICO is fully aware of data protection breaches,"
The ICO said today that it will submit a formal business case to the Ministry of Justice asking the government to give it "powers to conduct compulsory audits in the local government sector".