A new report published by UK-based privacy rights group Big Brother Watch (BBW) claims that the scale of private data being leaked by local authorities is significant enough to see those responsible being jailed.
The report states that during the period between April 2011 and April 2014, local councils were accountable for approximately four data breaches per day. The total number of breaches experienced during the period was 4,236, according to Big Brother Watch figures.
BBW further states that despite more than 400 instances of loss or theft, including 197 mobile phones, computers, tablets and USBs and 600 cases where information was inappropriately shared, just a single person has faced criminal sanctions and only 50 personnel have been dismissed.
In the report PDF available online here, BBW clarifies that many breaches occur due to some form of human error, due to poor training or staff being unaware of their responsibilities. “As it stands data protection training is not compulsory for those handling personal information. This needs to be rectified,” says BBW.
Big Brother Watch has proposed several policy recommendations to deter wrongful access of personal information and reduce accidental breaches. The recommended measures include: custodial sentences for serious data breaches; criminal records for serious breach incidents; and mandatory data protection training.
“Current penalties for serious data breaches do not deter individuals who are seriously considering breaking the law,” claim the report's authors.
The 199-page report goes on to state that the depth of the problem may not be fully recognised by those individuals and bodies responsible. “According to our findings, 167 (38 percent) of all local authorities reported no data breaches between 2011 and 2014. It is probable that local authorities are using different criteria to determine what is and what isn't a breach. This is unhelpful.”
Shockingly naive approach
Phil Barnett, EMEA VP and GM of Good Technology emailed SCMagazineUK.com to say that what these figures show is a shockingly naïve approach to public data protection by the UK's local authorities.
“This highlights why the public is becoming less confident in government data protection everyday. The best approach for minimising security threats is a combination of stringent security policies, the correct tools and education. Education is vital, as it equips the workforce with the knowledge they need to make informed decisions and evaluate potentially risky situations,” said Barnett.
Top down doesn't work
Egress Software CEO Tony Pepper asserts that a ‘top down' policy approach to data protection is no longer sufficient and councils need a more pragmatic safety net to inevitable data breaches brought about through human error.
Pepper spoke to SCMagazineUK.com today to say that, “The regularity of breaches is worrying, particularly when you consider the fact child data was involved in 658 cases.”
He went on to accept that the issue here is not all down to the individual to mitigate and that people will always make mistakes.
“This is why it is critical the public sector invests in the right technology to provide a safety net for when mistakes do happen – for example, the classic ‘Autofill' email blunder, where emails are sent to the wrong recipient, can be mitigated by deploying solutions that allow users to revoke access after the fact; so that the wrong recipient isn't able to read it. Matching policy with smart information security technology is the best way to protect against human error – otherwise we will continue to see breaches of this kind,” said Pepper.
David Juitt, chief security architect at Ipswitch also commented on this news by noting that exactly ‘how' personal data is shared within local authorities and with external agencies is absolutely key in securing the data in transit.
“There are technology solutions and data protection guidelines which account for potential flaws in human nature when it comes to keeping data safe. By automating, managing and controlling all data file transfers from a central point of control, local authorities are able to easily send and share files using IT approved methods. The IT department also retains complete control over activity. It's no longer good enough to just have the right policies in place for secure data transfer, an organisation must ensure it has the right file transfer technologies, security systems, processes, and most importantly, staff training," said Juitt.