Data security failings in central government appear to “have skyrocketed” under the Information Commissioner’s Office (ICO), according to one legal expert.
Official figures from the Information Commissioner’s Office (ICO) suggest that there was an 8000 percent increase in the number of people affected by financial data breaches in central government between 2019 and 2023.
“It’s an extraordinary figure and suggests that we might be seeing a crisis in data security in central government,” said Jon Baines, senior data protection specialist at law firm Mishcon de Reya.
“We have seen some huge, and catastrophic, data security breaches in recent months. For example, the compromise of the England and Wales electoral register, and ransomware incidents involving the British Library and a number of other UK public authorities.”
Baines disputed the ICO commissioner John Edwards recent comments that his policy of not fining the public sector, but instead issuing non-binding reprimands, was “very effective, especially in the public sector where reputation is worth more than the purse.”
“On the contrary, the evidence in fact points rather starkly the opposite way. Since his softer-touch approach for public authorities was adopted, it appears that data security failings at least in central government have skyrocketed,” said Baines.
“No explanation or transparency”
The figures derive from reports of ‘personal data breaches’(PDBs) made under Article 33 of the UK GDPR to the Information Commissioner’s Office (ICO). A PDB is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
“These figures are buried away in a freedom of information disclosure by the ICO: they were not proactively published, there appears to be no explanation for the enormity of the issue, and nor does there seem to be any transparency within central government about how such security issues are happening and what is being done about them,” said Baines.
If you liked this content…
“The evidence points to a pressing need for government to get its house in order, and for the ICO to take a fresh look at whether there is a need for more robust enforcement in the public sector.”
On its website, Mishcon de Reya noted that not every PDB indicates a serious failure warranting enforcement action, and some will end up being ‘near misses’. However, the figures do show a massive increase in the numbers potentially affected between 2019 and 2023 (from 2.4 million in 2019) with a notable upswing between 2022 and 2023 (from 70 million to 195 million).
ICO to review its approach
The law firm added that it is important to note that the softer-touch was introduced as a “trial”, and in response, the ICO has confirmed a review of the revised approach to public sector enforcement, after the two year trial.
However, the ICO didn’t say whether the increase in central government data breaches required action.
”We are continuously engaging and working with government departments to remind them of their legal obligations, and offer guidance and advice with the aim of improving practices. Over the past two years, we’ve also taken formal action against a number of central government departments, using the full range of our regulatory powers to uphold people’s information rights…We can confirm there will be a review [of the revised approach to public sector enforcement, after the two year trial]”.
Data leaders from central government will speak at Think Data for Government on June 5. Register your place now.