Between April 2011 and April 2014, local authorities across the UK suffered at least 4236 data breaches, according to new research.
Privacy campaigner Big Brother Watch is behind the study, which gathered data from Freedom of Information (FOI) responses from 98% of all councils in the country.
The group asked local government bodies in the UK for the number of individuals that have been convicted for breaking the Data Protection Act (DPA), the number that has had their employment terminated as the result of DPA breach, then number that were disciplined internally, the number that resigned during proceedings and the number of instances where no action was taken.
The findings revealed at least 401 instances of data loss of theft, 628 instances of incorrect or inappropriate data being shared on emails, letters and faxes, 159 instances of data being shared with a third party, 99 cases of unauthorised people accessing or disclosing data and 658 cases where children’s personal data was involved in a data breach.
Instances of data breaches recorded included letters being sent to the wrong address, letters containing information not intended for the recipient, lost and stolen mobile devices and breaches involving sensitive or confidential personal information.
Of the data breaches disclosed by the local authorities, 68% of cases had no disciplinary action and when action was taken, 2.1% resulted in resignation or dismissal.
Just one court case relating to the data protection act has taken place, when an employee of Southampton Council was successfully prosecuted by the Information Commissioner’s Office (ICO) for having ‘transferred highly sensitive data to his personal email account.’
According to the report, A Breach of Trust: How local authorities commit four data breaches every day, the data breaches themselves are not the only concern, it is the seeming lack of punishment.
“[The document] highlights a number of major issues which need to be resolved. Until proper punishments for the misuse of personal information is implemented the problem has the potential to grow, particularly as the gathering of data increases year on year with new technologies and a move to paperless systems,” it claims.
“Imposing tougher penalties for the most serious of data breaches has received widespread support from a variety of organisations and individuals, including the ICO, the Justice Select Committee and the Home Affairs Select Committee,” it adds.
Big Brother Watch recommends that going forward, local authorities invest in better training which is compulsory for those handling personal data and that all organisation take the same approach when a breach occurs.
“This report provides even more evidence that human error really is the biggest challenge facing information security professionals and it needs to be dealt with,” claimed Egress CEO Tony Pepper.
“The regularity of breaches is worrying, particularly when you consider the fact child data was involved in 658 cases.
“While public sector organisations already have top-down policies and procedures in place, it is clear that staff are not following these rules and that in many cases, there are not really any repercussions if they fail to do so.
“It is not all down to the individual to mitigate this; people will always make mistakes and organisations need to accept that, but they should not accept that this needs to result in confidential data being breached,” he added.