What are we to make of today’s Big Brother Watch report which claims that local authorities commit 4 data breaches every day?
In the words of TV magician Paul Daniels: “Not a lot.”
At first glance, it looks impressive. It’s almost 200 pages long. But, and this is a big but, there are only a few pages of analysis – once you get past page 12, a series of annexes contain the responses from each local authority, revealing how minor the vast majority of the reported incidents (occurring between April 2011 and April 2014) actually were.
BBW started work on this report by submitting FOI requests to each local authority in June 2014. Quite why it has taken so to publish the results, bearing in mind that FOI requests should be returned within 20 days, is beyond me. Although BBW claims to have received a 98% response rate, some 212 authorities either declined to provide information, or claimed that they had experienced no data breaches between 2011 and 2014.
Evidently, the safest place to live these days is Northern Ireland, where 21 of the 25 Northern Irish District Councils did not report a single data breach.
The report’s recommendations, unfortunately, don’t reflect too deep an understanding of the improvements to information handling procedures that are already currently likely to emerge in the foreseeable future.
BBW calls for “proper punishments for the misuse of personal information,” without acknowledging that (even) magistrates courts are already capable of levying unlimited fines for DPA offences. Instead, BBW joins the chorus for custodial sentences, but it failed to point out whether any of the data breaches featured in the report would have been cases where a jail term, rather than a fine, would have been a more appropriate punishment.
BBW calls for anyone who knowingly commits a data protection breaches to receive a criminal record. Currently, offences are classed as civil offences. BBW is concerned that this raises the potential for an individual to gain further employment that allows them to access personal information, despite the fact they have been punished for committing a data protection offence in a previous job.
Perhaps in a future report, BBW will also advocate sending miscreants to the stocks for a couple of days.
BBW calls for mandatory data protection training for members of staff with access to personal information – but it does not appear to know how many of the reported data breaches had occurred despite the DPA training that was in place.
BBW calls for the mandatory reporting of a breach if it concerns the public – but it failed to mention the breach reporting standards advocated by the GDPR.
BBW calls for standardised reporting systems and approaches to handling a data breach – but it failed to mention the work the ICO has already done in this area to encourage standardised breach reporting.
BBW also echos the ICO’s calls for it to be able to audit local authorities.
But enough of all this negative stuff – the report does some examples of poor data handling practices that will be useful for DPOs to feature in future presentations. They include:
- A CCTV operator watched part of the wedding of a member of the CCTV team.
- An officer wrote down his contact details on what he thought was a scrap of paper but contained personal details of a complainant.
- A care agency left 23 black sacks of paperwork behind after an office move. 100s of clients in several authorities were affected.
- A child report was sent to wrong recipient. The recipient used Facebook to track down correct client and passed report on. The client reported this.
- An advisor recorded incorrect details for noise complaint which resulted in an officer visiting the person being complained about rather than the complainant.