What
are we to make of today’s Big Brother Watch report which claims that local
authorities commit 4 data breaches every day?
In
the words of TV magician Paul Daniels: “Not a lot.”
At
first glance, it looks impressive. It’s almost 200 pages long. But, and this is
a big but, there are only a few pages of analysis – once you get past page 12,
a series of annexes contain the responses from each local authority, revealing
how minor the vast majority of the reported incidents (occurring between April
2011 and April 2014) actually were.
BBW
started work on this report by submitting FOI requests to each local authority
in June 2014. Quite why it has taken so to publish the results, bearing in mind
that FOI requests should be returned within 20 days, is beyond me. Although BBW claims to have received a 98%
response rate, some 212 authorities either declined to provide information, or
claimed that they had experienced no data breaches between 2011 and 2014.
Evidently,
the safest place to live these days is Northern Ireland, where 21 of the 25
Northern Irish District Councils did not report a single data breach.
The
report’s recommendations, unfortunately, don’t reflect too deep an
understanding of the improvements to information handling procedures that are already
currently likely to emerge in the foreseeable future.
BBW
calls for “proper punishments for the misuse of personal information,” without
acknowledging that (even) magistrates courts are already capable of levying
unlimited fines for DPA offences. Instead, BBW joins the chorus for
custodial sentences, but it failed to point out whether any of the data
breaches featured in the report would have been cases where a jail term, rather
than a fine, would have been a more appropriate punishment.
BBW calls for anyone who knowingly commits a data protection breaches to receive a criminal record. Currently, offences are classed as civil offences. BBW is concerned that this raises the potential for an individual to gain further employment that allows them to access personal information, despite the fact they have been punished for committing a data protection offence in a previous job.
Perhaps in a future report, BBW will also advocate sending miscreants to the stocks for a couple of days.
BBW calls for mandatory data protection training for members of staff with access to personal information – but it does not appear to know how many of the reported data breaches had occurred despite the DPA training that was in place.
BBW
calls for the mandatory reporting of a breach if it concerns the public – but
it failed to mention the breach reporting standards advocated by the GDPR.
BBW
calls for standardised reporting systems and approaches to handling a data
breach – but it failed to mention the work the ICO has already done in this
area to encourage standardised breach reporting.
BBW
also echos the ICO’s calls for it to be able to audit local authorities.
But
enough of all this negative stuff – the report does some examples of poor data
handling practices that will be useful for DPOs to feature in future
presentations. They include:
- A CCTV operator watched part of the wedding of a member of the CCTV team.
- An officer wrote down his contact details on what he thought was a scrap of paper but contained personal details of a complainant.
- A care agency left 23 black sacks of paperwork behind after an office move. 100s of clients in several authorities were affected.
- A child report was sent to wrong recipient. The recipient used Facebook to track down correct client and passed report on. The client reported this.
- An advisor recorded incorrect details for noise complaint which resulted in an officer visiting the person being complained about rather than the complainant.
Happy reading.
Source:
http://www.bigbrotherwatch.org.uk/wp-content/uploads/2015/08/A-Breach-of-Trust.pdf
.
Posts
