Monetary penalties for local authorities issued by the Information Commissioners’ Office have officially hit £1m, isrisk.net is first to reveal.
Our analysis of ICO penalties for local authorities (click to download pdf) confirms the total as £1.040m as of 15th February 2012 when the latest penalty was issued to Cheshire East Council.
The eleven notices issued covered the loss of at least 1,914 records to a total 730 unauthorised recipients.
The analysis reveals a number of interesting trends:
Fines are becoming more frequent. During 2011 there were gaps of several months between fines, towards the end of last year and in the first two months of this year, penalties were issued every few weeks. We can expect many more penalties in 2012.
Highly sensitive data
All the penalty notices issued were for loss of highly sensitive data, specifically child or adult care records. Whether this reflects a conscious focus for the ICO or simply where the losses have taken place is hard to say, however it is clear that the ICO are reserving their power to issue financial penalties for those cases where the information at risk is sensitive and the data subjects are vulnerable.
Just one record lost is enough for a fine
45% of penalties were issued for the loss of just one record. This calls in to question the common view that only the loss of multiple records would be of interest to the Commissioner. Clearly the Commissioner considers that even one record can justify a penalty where the data lost would have a signficant impact on the data subject.
Data in transit
Every single fine related to data in transit. Four were for email sent to the wrong recipients, five were for paper documents sent to the wrong person or address, one to a fax sent to the wrong number, two Ealing and Hounslow) for the loss of an unencrypted laptop, and one was caused by a Council officer leaving documents in a pub on the way home from work, None were the result of third parties obtaining access to Council networks, however whether that reflects a lack of interest by hackers or Councils’ lack of capability to identify such attacks is a matter for speculation.
The most revealing aspect of these penalties however is that every single one was the result of human error. All could have been avoided if the individuals concerned had been properly trained and were conscious of their obligations. Equally, many could have been avoided if manual processes had been replaced with more efficient automated ones, or data sent in a more secure manner.
Lessons for the future
There is s strong message here for local authorities and other public sector bodies: securing your network is not going to be enough. Instead, the focus should be on investing in better processes and staff training and awareness.
The tokenistic approach many organisations have deployed in the past of annual refresher training on organisational policies does little to embed the importance of security in the minds of staff on a daily basis. Instead, Councils and others need to foster a security culture where everyone understands the contribution made by their activities.
Just as importantly however, the penalties reveal an opportunity to build a stronger business case for developing processes that are inherently more secure. There can be no excuse for sending bulk personal data be email, storing records on laptops rather than in enterprise systems, and sending highly sensitive data using obsolete and inefficient faxes.
Ultimately, we’re paying twice for these mistakes: once in high taxation driven by poor processes, and a second time in monetary penalties for data losses. The monetary penalties are, therefore, the tip of the iceberg.
Any local authority getting to grips with the process issues highlighted will surely make their budget savings and improve services at the same time.
You can download the analysis of ICO penalties for local authorities here.