Transparency and disclosure are all part and parcel of incident response, ensuring the organisation remains accountable and that lessons are learned. Obfuscate that process and you remove the impetus for improvement, which is why it’s so concerning that the public sector seems to be doing just that, moving us backwards when it comes to data protection.
A recent Freedom of Information (FoI) request made for a third consecutive year reveals that device and data losses are on the rise. Submitted to 14 government departments, the results showed a 45 percent increase in lost and stolen devices at Her Majesty’s Revenue and Customs (HMRC) which declared 635 lost and stolen devices, and a 91 percent increase in losses reported by the Department of Business, Energy and Industrial Strategy which reported 204. Of the local councils, who were included for the first time, 27 disclosed the loss of more than 600 devices and almost 1500 data breaches during last year.
If that weren’t concerning enough, some such as the Ministry of Justice (MoJ) declined to provide answers at all despite having provided information in previous years (when 345 devices were lost or stolen and there were 2152 data breaches between 2020-21). Similarly, the Foreign, Commonwealth and Development Office (FCDO) also declined to respond. In fact, of the 33 departments and authorities who responded to the FoI requests, 20 referenced one or more section clauses from the Freedom of Information Act (FoIA), enabling them to refuse to answer some, or all, of the questions.
Avoiding the issue
In the case of the MoJ, it cited section 31(3) of the FOIA and Section 31 (1) (a) FOIA (prevention and detection of crime). The former is usually cited when the disclosure of information would expose a department to potential threats of a criminal nature, such as releasing information about the cyber security measures/processes that a department has put in place that could identify potential vulnerabilities. A further 11 government departments and authorities also referenced section 31, suggesting more are using the clause to avoid answering any requests that relate to their security posture irrespective of whether that refusal is truly justified.
Others said the cost and time to respond were too high to justify answering the requests. Section 12 of the Act makes provision for public authorities to refuse requests for information where the cost of dealing with them could exceed the appropriate limit, which for central government is set at £600. This represents the cost of one person spending 3.5 working days fulfilling the request by locating, retrieving and extracting the necessary data. But if anything, data management should have improved over time to make the process more efficient. Departments should be able to lay their finger on this data much more quickly, again suggesting processes have either worsened or departments are abusing these clauses.
If you liked this content…
UK councils rack up more than 5,000 data breaches in 2023
MoD and Home Office declare almost 1000 lost and stolen devices
Government departments recording large numbers of lost and stolen devices
Central government data security failings exposed
Digital defences: protecting public services against cyber threats
In another example, the UK Health Security Agency (UKHSA), stated that the information requested was exempt from disclosure in accordance with Section 24 for the purposes of safeguarding national security. It considered the information could pose a threat to the security of its infrastructure and argued it could be used as the reconnaissance phase from the 5 or 7 phase Cyber Kill Chain model proposed by Lockheed-Martin back in 2011. However, couldn’t any data be classed as reconnaissance material?
A track record of refusals
These are not isolated incidents either. According to governmental data published in April 2023, records show that fewer than 40 percent of FOI requests logged in 2022 were fully met, with more than half partially or completely withheld. In 2021, an investigation found that government departments spent at least half a million pounds since 2016 trying to block the release of information under transparency laws. Lewisham council also made the headlines in 2022 when it failed to reply to information requests, the Department for International Trade (DIT) and the Department for Business, Energy and Industrial Strategy (BEIS) were also reprimanded by the Information Commissioner’s Office (ICO) for not responding to FoI requests on time.
Yet, despite the obvious undermining of the FoIA, there’s been no clamp down but rather a relaxation of regulations. The ICO stated in June last year that it intends to use discretion to reduce the impact of fines on the sector between now and 2024, with fines only to be issued in the most serious cases. We’re also seeing the UK’s version of GDPR being hammered out in parliament which is expected to see data protection requirements reduced.
Under the Data Protection and Digital Information Bill (DPDI), Records of Processing Activity (ROPA), Data Protection Impact Assessments and the requirement for a Data Protection Officer (DPO) will be abolished unless the organisation is processing high risk data, which has yet to be defined. The data that needs to be classified as Personally Identifiable Information (PII) will also become narrower, which means more data will have less protection afforded to it.
Such developments do not bode well for the governance of data, effectively eroding the measures put in place to ensure it is processed securely as well as making it much more difficult to hold organisations to account. They threaten to undo much of the progress made to date and that which could be made in the future. With data losses on the increase, we need to be taking a tougher stance and be using post incident review to determine where improvements can be made, rather than allowing the public sector to sweep the problem under the carpet.
