The cumulative number of personal data breaches reported by nine government departments and organisations more than doubled in the 2018/19 financial year, with 7,409 reported compared with 3,522 in 2017/18.
Much of the increase appears to have been caused by stricter reporting rules introduced under the European Union’s General Data Protection Regulation (GDPR), rather than by increased losses of information. The Home Office reported 29 times as many breaches as in the previous year, and the Ministry of Defence four times as many, with both citing GDPR as a reason.
The Information Commissioner’s Office (ICO), which must be notified about serious breaches, has seen the number of reports from all data controllers quadruple following the introduction of GDPR. The EU regulation been incorporated in UK law through the Data Protection Act 2018 and looks unlikely to be affected by Brexit in the near term.
The Ministry of Justice, which CSW's sisiter title PublicTechnology revealed in May to be responsible for the largest number of Whitehall data breaches, saw half as many again than in 2017-18.
Unlike many other government departments, the ministry runs local delivery services directly through HM Courts and Tribunals Service which runs 338 court and tribunal centres handling 4.4m cases.
“While we work to reduce the number of breaches, the vast majority which do occur are low impact, and represent a tiny fraction of the millions of court cases, legal aid applications, and personal data of those in prisons or on probation we deal with each year,” said a Ministry of Justice spokesperson. “We take the security of data very seriously, training our staff to handle sensitive information and investigating each and every incident to prevent any repeat.”
The ministry reported eight significant incidents to the ICO, two fewer than the year before.
One of these, in February this year, involved a document with information on an ex-offender – including his name and current location and the names of his victims – being posted on Facebook.
The ministry said it is not known how the individual, who wanted to identify the ex-offender in his community, obtained the document but the poster has received an official police warning against further publication.
Several departments reported far greater year-on-year increases that the MoJ. The Home Office recorded 1,930 incidents, 29 times as many in 2018-19 as in the previous year. It reported 35 to the ICO, compared with two the year before.
“Post-GDPR publication of additional information and guidance around personal data and management of breaches, plus a revised reporting process, has raised awareness across the Home Office regarding the need to escalate such incidents,” it said in its annual report.
The Ministry of Defence quadrupled the number of incidents it recorded to 470. It too blamed GDPR, saying this had widened the scope of personal data and led to communication and training on the need to report data breaches.
“Along with the extension to the scope of GDPR this has led to an increase in the number of reported incidents when compared to the previous year,” it said in its annual report published in September.
It reported seven incidents to the ICO, having not reported any in 2017-18. Three of these covered medical data, including potential unauthorised access to medical records and disclosure of information to an insurance company.
The Department for Environment, Food and Rural Affairs recorded 148 incidents in its 2018-19 annual report, up 139% on a year previously. Its section on security and information management mentions new-data protection legislation but also says it “has been subject to increased threats due to its critical role in EU exit activities”. The department has appointed a senior security advisor, established a new cybersecurity service and is introducing more secure systems as part of its UnITy technology upgrade programme.
HM Revenue and Customs recorded just 22 incidents in 2018-19, 10 fewer than the year before, although its annual report says the reduction was partly due to removing some less serious incidents from the centrally managed process to focus on the most significant ones. It blamed GDPR for an increase in ICO-notified incidents, which rose from two to 12, including incorrectly issuing Internal Child Reference numbers (which become National Insurance numbers at age 16) which potentially affected 3,535 people.
Other 2018-19 annual reports revealed that NHS England and its commissioning support units recorded 13 data breaches in 2018-19, down from 37 the previous year, with new scoring criteria causing the reduction; the Foreign and Commonwealth Office recorded 35 up from 14 the year before; the Disclosure and Barring Service recorded 13 compared with 10 in 2017-18; and the Department for Work and Pensions recorded one incident, having not recorded any for the two previous years.