Council data breach cases rising up 34% in Suffolk
PUBLISHED: 09:06 04 January 2019
Councils in Suffolk reported more than 300 data breaches in 2018 – a third more than in 2017 – potentially exposing personal details of thousands of residents in the county.
Suffolk County Council had the most cases and saw a 20% increase in the number of breaches of private data – from 221 cases in 2017 to 265 in 2018.
Five of the six authorities in Suffolk have seen an increase in breaches year-on-year. A data breach can consist of any personal, private or classified information being accessible or exposed to those it is not intended for.
This could be caused by human error and lost records to deliberate, malicious attempts such as phishing emails to obtain data like usernames, passwords, addresses or financial information.
Why are there more incidents being reported?
Chris Bally, county council deputy chief executive, pointed to changes in data protection law in last year as one reason for the increase.
He said: “The General Data Protection Regulation (GDPR), in force from May 2018, introduced a new duty on all organisations to report certain types of personal data breach to the Information Commissioners Office (ICO).
“Suffolk County Council has always had strong arrangements in place for managing data breaches, but the ICO’s guidance, in light of the GDPR, requires us to have robust breach detection, investigation and internal recording and reporting procedures in place.”
Before GDPR came into effect, Mr Bally said the council reviewed their existing breach reporting mechanisms and introduced compulsory training for all staff so that the importance of protecting personal data was made a priority.
“The 20% increase in the number of incidents reported is largely due those reviews and greater staff awareness,” he added.
“Keeping residents’ and customers’ data safe is of paramount importance to the council.
“We require all potential breaches to be reported. This in turn allows us to proactively monitor and address any security concerns and, most importantly, ensure that we’re open with people about how we protect their data.”
Peter Gardiner, county council opposition spokesman for public protection, said: “I think this 20% increase is significant and requires further scrutiny.
“People are perhaps not as aware as they should be when it comes to data security.”
What is the case at other councils in Suffolk?
Ipswich Borough Council rose from 11 cases in 2017 to 29 in 2018.
IBC were responsible for the largest number of exposed records in one incident, with thousands of addresses held in an unsecured filing cabinet in a defunct office, but no records were exposed.
An IBC spokesman said the council “takes data security extremely seriously and are constantly reviewing procedures” and that the vast majority of incidents at the council were near-misses or involved internal emails sent to colleagues in error.
Babergh and Mid Suffolk reported together that their recorded breaches rose from nine to 12 in the same period.
A Babergh and Mid Suffolk District Councils spokesman said also cited GDPR as a reason for an increase in incidents.
Waveney District Council increased from two cases to 17 and Suffolk Coastal District Council increased from two cases to 10.
The number of data breaches for 2018 uses the latest figures available, up to and including November 28, 2018.
West Suffolk Council, which was previously Forest Heath and St Edmundsbury District councils, reported eight incidents between January 2017 and November 2018 with no incidents reported to the ICO, stating they have robust procedures for monitoring and reporting data breaches. No year-on-year breakdown was provided.
Waveney and Suffolk Costal District councils were also approached for comment.