A little local difficulty

by | Nov 5, 2013 | Data Protection, ICO | 1 comment

A very long time ago – long enough that I should have long since stopped mentioning it – I worked at the Information Commissioner’s Office. My time there was relatively undistinguished and I left as soon as I saw a better paid DP / FOI job in local government (yes, That Means I Am Biased In Favour Of COUNCILS AND part of the CONSPIRACY??!!). While I was there, I had five different managers – one for just five days – but by far the best one was Dawn Monaghan. She was down-to-earth, fair and both gave and earned loyalty. While I was disenchanted with the ICO by the time I left, I was genuinely sorry to leave her team.

So what better way to pay tribute to someone to whom I owe a debt of gratitude than to mock the article she wrote which was published on the ICO website last week?  Monaghan’s blog was about the ‘data leaks’ in local government and seems to be founded on the idea that collective naming and shaming of an entire sector is a winning formula. While I look forward to follow-ups like ‘The Banks Are All Bellends’ and ‘Insurance Companies Can Sod Off’, I feel that Dawn’s blog is somewhat unsatisfactory on its own terms, and so I have annotated it below:

The local government sector has already received penalties totalling over £2m in the last three years following serious failings in the way they are looking after people’s data.

We have fined some councils because in a relatively small number of cases, individual staff made mistakes that led to incidents, and the councils told us about those incidents. We could make a case that policy and training failures led to the incidents, and so we fined them. Half the time, if they hadn’t told us, we wouldn’t have known. Of course, this could mean that there are loads of incidents in other sectors that we don’t get told about, and I’m arbitrarily going after the whole local government sector when they might not actually have the biggest problems. But it’s my turn to do one of these, so I’ll keep going.

The total value of these penalties is higher than for any other sector, with councils stuck in an apparent cycle of all too common mistakes.

These organisations account for less than 2% of the sector, but we think the best way to motivate millions of people working in local government is to tell them that they’re all shit. But I’ll say ‘apparent’ to make it sound a bit less like we’re saying that. We are saying that.

All of these breaches could have been prevented if councils had looked after people’s information correctly by complying with the Data Protection Act.

Many of these incidents would have happened anyway. Incidents happen all of the time in every organisation. We even had one of our own which we described as a ‘Non Trivial Security Incident’ in our annual report but we still won’t tell anyone what it was. If the councils had done a better job of complying with the seventh principle (and the fourth one, but we don’t bother with that one so much), we would not have fined them. Although, given that the only council who has taken us to the Information Tribunal on a CMP case got it overturned, making such a big deal out of this might not be a good idea.

The Information Commissioner’s Office (ICO), who I work for, is responsible for helping councils look after the personal information they hold by providing support and guidance on its website and through a dedicated helpline.

We’re actually responsible for regulating every single organisation that processes personal data for any non-domestic purpose in every professional, official, commercial, voluntary and charitable sector in every corner of the UK. We go after one sector in particular because of a very good reason that we just don’t have time for now.

The ICO also provides free audits and advisory visits to help council’s improve their practices. All of this work enables us to develop a detailed understanding of where councils are and, even more importantly, aren’t getting it right when to comes to looking after people’s information.

Like most of the people who work in the Information Commissioner’s Office, I have no local government experience. One of the Deputy Information Commissioners used to work in local government but he does FOI. But we definitely know enough about councils to say that they’re all shit.

While not all of the information councils handle will be personal and an even smaller percentage of that will be sensitive personal data, such as information relating to an individual’s health, I see the same errors and oversights from councils across the UK.
Of the 22 penalties issued to local councils already, over half of the cases relate to information being disclosed in error. The most recent example of this relates to a penalty of £100,000 which was served by the ICO on Aberdeen city council in August. This was after the social services records of several vulnerable children were unwittingly published online and remained available for a three month period.

Councils work in a very specific way and are forced to deal with a wide variety of different organisations (schools, the courts, the police, NHS, probation services, central government). They inevitably have to share a lot of data and cope with their partners’ wildly different cultures and a huge range of settings and challenges – face-to-face meetings, faxed evidence, service users who don’t have email, warring elected members – and services that range from planning to waste collection to social care. Budget cuts and the community based nature of local government work means that they are obliged to move to inherently unsafe working practices like home and mobile working, shared offices and flexible IT. This means that the likelihood of their data going missing is considerably greater than any other sector. Councils combine this with a masochistic tendency to confess all to the ICO when things go wrong. There is definitely a very good explanation for why I am not focussing on that inconvenient and complicated reality, but there’s a word limit and I should probably stick to it.

The error was caused by an employee who failed to recognise that a program on their second hand laptop automatically uploaded documents online. The problem was allowed to go unnoticed for several months as the council had no home working policy for its staff and had no restrictions on the downloading of sensitive information from the council’s network

It’s not possible for an organisation to have policies and training in place and yet still experience incidents because policies are magic.

More commonly, councils have received penalties after sensitive information – often relating to individuals and children in care – is sent to the wrong person either through email, post or fax. In these cases errors have occurred due to insufficient guidance and training for staff, a clear lack of management oversight, or a failure to put any form of safeguards in place to prevent email, fax or postal addresses being entered incorrectly.

Often it is a combination of all three, resulting in multiple data breaches where the original mistake has continued to go unnoticed until one of the recipients has contacted the council to alert the relevant authority to the problem.

This statement might imply that I don’t know the difference between an incident and a breach even though that’s partly why we lost the Scottish Borders case. But it’s OK, because I’m not the only person around here who doesn’t understand it.

The use of unencrypted laptops or memory sticks to store sensitive personal data is another area of concern. Failing to encrypt the data means that the information can be accessed in a matter of minutes if the device is subsequently lost or stolen. Password protection is not enough.

The security measures an organisation adopts to protect personal information stored on a laptop or memory stick must reflect the sensitivity of the data contained on the device. When the data is sensitive data, the loss of which is liable to cause damage and distress to those affected, then encryption is a must.

Encryption is a relatively simple measure to adopt, costs relatively little to introduce and we have published a useful blog introducing the various encryption options open to councils to help them keep their data secure.

We can’t say for certain if other sectors routinely use encryption because we just act on the cases that people tell us about. We could probably defend that position and many of those council and NHS cases had merit, but I think it’s better to overreact in blogs like these and annoy lots of people by lumping their entire sector together and giving it a kicking.

Councils must ask themselves what personal information they are processing? How sensitive is it and whether existing data protection policies and procedures are effective?

The breaches reported to us are preventable and it is up to councils to make sure they are stopping them before a serious breach occurs. Failure to do so not only leaves a council in line for a potential fine of up to £500,000, but also shows that they have failed to play their part in breaking a damaging cycle of data protection failings within the local government sector.  

The incidents that our Technology Advisor admits are not reported to us may indicate failings just as bad in other sectors, but we don’t know how to find out about them. So despite all the good work we do, for some reason we lash out at at a beleaguered sector that does some of the most difficult and thankless work in the public sector because their failings are the most immediately obvious to us, even though others may be just as bad or worse, and those people who may be less motivated to take the ICO’s important messages seriously as a result.