More Government data breaches unearthed

DVLA reports 181 breach notifications to the ICO, according to FoI requests

Posted 13 October 2020 by Christine Horton

Government departments have reported thousands of personal data breaches and numerous notifications to the Information Commissioner’s Office (ICO) between 2019-2020.

That’s according to new Freedom of Information (FoI) requests and data.

The Driver and Vehicle Licensing Agency’s (DVLA) annual report and accounts 2019 to 2020 submitted 181 notifications to the ICO in the past year alone.

Between August 1 2019 and July 31 2020, the Office of the data protection officer (DPO) received 1,291 Data Incident Reports in relation to HM Passport Office (HMPO), 1,280 of which were assessed as Personal Data Breaches.

The information was gathered by manufacturer of hardware-encrypted USB drives, Apricorn. Jon Fielding, managing director, EMEA Apricorn said the figures were cause for concern.

“Whether these are minor breaches that required no further action or not, it is clear that more needs to be done. Departments need to be considering the tools necessary to bring this number down in years to come,” said . 

According to the ICO’s Annual Report 2019-2020 there were 11,854 personal data breaches reported to the ICO in 2019-20. This is concerning given the fact that this accounts for only those that require notification. For instance, the Home Office Security annual report noted a huge 4,204 incidents were recorded in 2019-20, but just 25 were highlighted as particularly severe meaning that the ICO had to be notified. 

In NHS Digital’s 2019-2020 annual report and accounts there were 38 incidents during 2019-20 that were classified as personal data breaches. Seventeen of these related to employee data and 21 related to patient data. During this period, four of the personal data breach incidents were reported to the ICO.

Increased awareness

Fielding said the number of data incidents being reported may be due to increased awareness and changes in processes when identifying and managing data breaches.

“The change in requirements in line with the GDPR will of course see a rise in the numbers now being reported to the ICO. The increase in remote working through COVID will also have introduced more security concerns with an upsurge of information on the move. 

“Public sector bodies should follow the same process as any business would when it comes to mitigating risk. At the very least, data should be encrypted in transit and at rest so that, in the event defences are compromised, the data remains inaccessible,” he added. 

In some cases, government departments failed to provide responses to Apricorn’s FoI requests on time, or noted that the cost of dealing with them would exceed the appropriate time limit set.

“This process needs to be managed more efficiently and effectively by the departments concerned. The requests may not always be entirely straightforward, but where your data resides, and whether it has been put at risk, should be well documented. While information stored in a central database should be easily accessible, and not require multiple days to recover,” said Fielding.