Central government reported almost 500 personal data breaches to the Information Commissioner’s Office in the 2019-20, with one in ten requiring formal investigation and at least 10 incidents that have required the department in question to take remedial action.
A freedom of information request submitted to the ICO by CSW’s sister title PublicTechnology reveals that, during the 12 months to the end of March 2020, central government entities reported a cumulative total of 495 breaches to the regulator. This represents a slight increase of 1.9% on the number that were reported in the prior year.
Following investigation, the ICO has required some form action on the part of the data controller in 10 cases.
A further 35 are still under investigation, two are yet to be assigned to a caseworker, and 448 processes have concluded with no action required.
Individual case details and outcomes were not available, but notable examples of breaches known to have been suffered by departments in the 2019/20 year included two separate incidents reported by the Home Office within the first week of the financial year.
First, the department claimed that an “administrative error” had seen it expose the email addresses of hundreds of individuals that had expressed an interest in the then newly launched Windrush compensation scheme.
Personal data breach reports filed with the ICO by central government departments in 2019/20
Proportion of central government incidents requiring formal investigation
Number of local councils that had to agree an improvement plan with the regulator
Total number of breaches reported across the local government sector
Increase in overall data breaches reported in 2019/20, compared with 2017/18 – the last year before GDPR
Just a few days later in April 2019, it accidentally leaked the email addresses of 240 applicants to the EU settlement scheme.
Following these incidents, Home Office minister Baroness Williams of Trafford indicated that “strict controls have been put in place on the use of emails when communicating with two or more members of the public, including oversight of communications by senior civil servants and use of alternative technology to prevent reoccurrence".
The Department for Education, meanwhile, alerted the ICO in January to a breach in which the security of the records of 28 million current or former students was compromised. Although the universities minister Chris Skidmore claimed that, during the incident, "there was no data released about individual learners, only a confirmation or denial that a record existed"
In April, the DfE revealed that, following the breach it had implemented a number of new measures and controls on data access, including revoking the rights of certain third parties.
The ICO indicated at the time that it was still investigating the matter.
“The ICO is considering a number of potential compliance concerns associated with data obtained from the Department of Education’s Learning Records Service,” a spokesperson said. “We are continuing to investigate."
A local issue
During 2019-20, the regulator also received a collective tally of 1,006 data-breach reports from the local government sector.
In 10 cases it has been deemed that further action is required by the council in question, including two in which the authority has had to agree an improvement plan with the ICO. Some 75 remain under investigation, while 920 processes have completed with no further action required, and one incident is yet to be assigned.
The overall total of breach reports from local government is down slightly from the 1,069 that were received in the 2018/19 year.
But the number of incidents being reported is still massively increased on pre-GDPR levels; in 2017-18, which ended two months before the European data law was brought in, local councils collectively reported only about 300 data breaches.
The overall number of reports filed across all sectors quadrupled following the introduction of GDPR, from 3,331 in 20178/18 to 13,840 the following year.
This figure dropped by almost 1,000 in the most recently completed year, with 12,902 breaches reported across the country.
Of these, action has been required or enforced in 103 cases, including one where an undertaking has been served by the ICO, and four in which an improvement plan has been agreed – two of those involved local councils.
The overall number of reports filed across all sectors quadrupled following the introduction of GDPR
A further 1,633 personal data breaches are still subject to a formal investigation.
More sectoral detail will be contained in the regulator’s annual report which is due to publish in the coming weeks.
But the report from the 2018-19 year makes it clear that the GDPR era has brought an even bigger surge in breach reports from private industry than the increase seen in the public sector.
In 2017-18, the health sector was by far the biggest source of breach reports, accounting for more than a third of the total. The education and local government sectors were a distant second and third on 11% and 9%, respectively.
Breach reports filed by the ‘general business’ sector also represented about 9% of the total that year.
But, in 2018-19, this industry was the single-biggest source of data breaches, with more than 2,500 reports filed, equating to 18.1% of the total.
Health was in second place on 16.3%, and education on 13.1%, while the finance industry also saw a big spike, accounting for 10.4% of all reports – more than 1,400 breaches in total.
Sam Trendall is the editor of Civil Service World's sister site PublicTechnology, where a version of this story first appeared. It formed part of PublicTechnology's Cyber Week, a dedicated programme of content focused on the threats facing the public sector and the country at large, and how government can best respond. Click here to access all the content, which is brought to you in association with CyberArk.