Cyber Week: council data breaches saw 12% spike in FY21
Study from PublicTechnology identifies increase in incidents
While the local government sector was responding to coronavirus, data breaches suffered by councils saw a double-digit year-on-year increase, research from PublicTechnology indicates.
Via freedom-of-information requests, a representative sample of 18 authorities from across the UK – representing big cities, historic counties, and remote and rural areas – supplied data on the number of breaches suffered by their organisation in each of the last two financial years.
Having begun a week after the first national lockdown was put in place, the 2020/21 year was very much the year of Covid.
Comparisons with the prior year could provide an insight into the impact of the demands on local councils of responding to the pandemic – including, practically overnight, enabling large parts of their workforce to work remotely – as well as the scale and severity of the threat posed by a rise in opportunistic cybercriminals seeking to exploit coronavirus.
Our data shows a clear increase in the number of breaches recorded across the councils. The figures are, it must be said, a little inconsistent – with one a third of authorities revealing that the number of incidents logged actually went down in 20/21 when compared with the prior year. It is also clear that different organisations have very different interpretations of what constitutes a data breach that needs to be recorded.
Nottingham is little bigger than Belfast; about 330,000 citizens live in the former, and 280,000 in the latter.
But it is not so much bigger as to explain a tenfold difference in the number of incidents logged by the two city councils.
In FY21, Belfast suffered 32 breaches that passed the council’s threshold for recording, while Nottingham logged 279.
Councils representing the county of Dorset and the London borough of Barnet each serve a citizenry in the region of 400,000 people.
But, with 297 incidents in 2020/21, the former seemingly suffered more than three times as many breaches as the latter, which recorded 297.
Cornwall, a vast county with a widely dispersed population of 570,000, told us that it recorded only 10 incidents. In the city of Kingston upon Hull, meanwhile, the figure was 198.
But while there are clear discrepancies in how authorities interpret the law, what is also clear from our research is the trend towards a rise in data breaches during the year of Covid.
Across the 18 councils, a cumulative tally of 2,731 were recorded in 2020/21, compared with 2,429 in the prior year. This equates to an increase of 12.4%.
The amount of breaches that were so serious as to need to be reported to the Information Commissioner’s Office rose from 78 to 91.
This represents a very slight rise – from 3.2% to 3.3% – in the proportion of breaches that required regulatory reporting.
Once a breach has been reported to the ICO, the watchdog has the power to make recommendations for how organisations should respond, or even take enforcement action, if it is deemed necessary.
With 28 breaches reported to the regulator across the two years, Dorset Council had one of the highest tallies of any of the authorities featured in our research – surpassed only by Staffordshire with 34, including 28 in the most recent year alone.
Dorset told PublicTechnology that, while it has not been subject to any enforcement action, in most cases the data-protection watchdog had recommended ways in which to respond to the incident in question and future measures the authority could take.
“Most cases that were reported to the ICO we were provided with recommendations based on the individual data breach,” the council said. “These recommendations were regarding future prevention and improving processes or how to act should a similar action happen again.”
Hull, which reported seven breaches to the regulator in FY20 and four in the following year, said that “the ICO have been satisfied with the action we had taken” in each of these cases.
The council added: “They have usually recommended we do the following also: ensuring robust systems to double check the process when dealing with individual’s personal information, and the need for clear policies and procedures in respect of the disclosure of personal information to prevent incidents of this nature from happening in future; periodic checking of processes to ensure they are still relevant, up to date and fit for purpose; carrying out spot checks to ensure all staff are adhering to policies and procedures in place; reviewing [our] risk assessment with regards to the affected data subjects for a period of time, to ensure any potential detriment is not caused by the breach; practical role-specific refresher data protection training should be carried out biennially, to ensure staff are aware of their responsibilities for securing the personal information they process and store; the breach, suitably redacted, could be used as training to help staff understand the impact of not taking appropriate measures to ensure the security of the personal information they process and store.”
Nottingham City Council indicated that it had reported four and six breaches to the ICO in last year and the one before, respectively. It received much of the same advice as Hull, but added several other recommendations that the regulator had made.
According to Nottingham, the watchdog proposed: “The use of routine reminders. For example, these may take the form of posters, staff emails, newsletters and internal reminders on your staff intranet.”
The council had also been advised to: “Consider whether it is necessary to update your breach notification process to allow for breaches to be recognised and escalated to the appropriate decision maker promptly; this will enable you to comply with the 72-hour reporting requirement in future. Continue to monitor the risk to the affected data subjects so that appropriate steps can be taken to mitigate this risk where necessary. If appropriate, continue to seek confirmation from the unintended recipient that they have deleted the email and its attachment, and haven’t further copied or shared the information contained within it.”
Suffolk said that it had received a “reprimand” from the ICO in relation to one of the 15 breaches it had reported to the regulator in 2019/20.
In addition to some of the standard measures cited by other councils, Nottingham was also instructed to “to implement identified measures in relation to its social care case management system”.
Other than this specific recommendation, it is striking that the advice issued by the ICO in light of a breach is invariably a simple reminder to do the basics right – particularly in regards to ensuring employees have received adequate training, and are aware of their responsibilities.
“Reminding employees that it is a criminal offence under section 170 of the Data Protection Act 2018 for an employee to obtain or disclose personal data without the consent of the data controller,” was one of the pieces of advice issued to Nottingham.
The regulator also told the council: “The ICO recommends, as good practice, that refresher data protection training is carried out annually to ensure all staff are aware of their responsibilities when handling and storing personal information. However, the ICO also recognises that some organisations may be restricted by available resources but would recommend that in such cases, refresher training does not exceed two years.”
After the year councils have been through, it may be time for such a refresh.
This article forms part of PublicTechnology Cyber Week, in assocation with Akamai. Throughout this week, the site will bring you a range of content looking at the major security issues facing the public sector, and the country as a whole - as well as insights on how these challenges are being met, and how government and regulators can support this. We will also be hosting an exclusive webinar discussion in which NHS Digital will discuss the challenges it has faced in the past 18 months, ensuring the resilience of its services in the face of unprecedented demand. All content from Cyber Week can be accessed here.
Personal details of civil servant and supplier exposed by inadequately redacted document, discovered by PublicTechnology
Move to introduce code of practice for the likes of facial recognition and fingerprints is believed to be a world first
Department spared £10m fine despite ‘serious breach of the law’
Department is censured for the second time in 10 days after probe reveals it took seven months to notify watchdog of breach