The UK data protection authority, Information Commissioner’s Office (ICO), has published statistics regarding breach incidents in the first quarter of this year (1 April – 30 June 2013). In a related press release, the ICO discussed conclusions drawn from the numbers regarding the most common types of data breaches and the sectors that appear to be at greatest risk. It also described the enforcement tactics used to respond to the incidents.
As many as 175 out of 335 data breach incidents investigated by the ICO concerned data being ‘disclosed in error’. This includes situations where emails were sent to the wrong people or where information was erroneously included in freedom-of-information responses. The ICO highlighted that carelessness was often at the heart of the problem, with the same mistakes frequently repeated. ICO treats carelessness seriously and will take enforcement action were warranted. Loss or theft of paperwork and hardware were the second- and third-highest, respectively.
The ICO also looked at where the incidents occur most frequently, finding the health sector and local government at the top of the list. The ICO noted reported incidents for these sectors were likely to be seen to be higher because of the presence of internal reporting guidelines. The third and fourth places on the list were taken by schools and the legal industry. The ICO noted that it will keep an eye on these sectors to see how they perform in the next quarter.
Recent enforcement action by the ICO includes:
- Three monetary penalty notices: (i) £75,000 issued to the Bank of Scotland after customers’ account details were repeatedly faxed to the wrong recipients (ii)£70,000 against Islington Borough Council for releasing the personal details of over 2,000 residents to a freedom of information website ‘Whatdotheyknow’; and (iii) £100,000 against Aberdeen City Council for failing to control the handling of personal data by homeworkers which led to sensitive personal data being uploaded to the internet and as a result, publicly available;
- an enforcement notice against Powys County Council and an undertaking signed by Mansfield District Council, each in relation to improving data protection training; and
- an undertaking signed by Prospect, a trade union, to develop policies, minimise the use of data and use as much anonymised data as possible.