Scottish local authorities have recorded more than 10,000 data breaches over the last five years, The Ferret can reveal.
Incidents included the unauthorised access of data by staff, stolen data, procedural failures, theft of hardware, personal data put on websites, and the disclosure of personal information to third parties.
Police Scotland has been informed of data breaches at least 12 times and at least 47 people faced internal disciplinary sanctions.
Freedom of information requests sent to Scotland’s 32 local authorities also found that thousands of staff across Scotland have yet to complete data protection training.
While the vast majority of the 10,194 data breaches were for relatively minor issues such as emails being sent to the wrong recipient, concerns have been raised over measures in place to protect sensitive pieces of personal information.
The Scottish Conservatives said it was “quite staggering” that so many breaches could have occurred in just a few years and that The Ferret’s findings will “deeply alarm” the public. The Scottish Lib-Dems described the breaches as a “serial problem”.
Councils said the rising number of breaches is due to an increased awareness of the need to report data breaches internally.
Local authorities are expected to collect, store, use, share and dispose of personal information, or data about individuals, in line with General Data Protection Regulation (GDPR) and the Data Protection Act (DPA).
The Information Commissioner’s Office — an independent authority set up to uphold information rights in the public interest — has wide powers and can serve enforcement notices on data controllers and fine them heavily. Breaching the DPA can also, in certain circumstances, be a criminal offence.
We asked councils to provide details of data breaches since 2017.
Glasgow City Council (GCC) recorded 1,718 incidents — the highest in Scotland — but said none involved any “significant loss of data”. Eight employees faced disciplinary action with one staff member sacked.
GCC said: “We would point out that the council has very well established and internally-publicised data breach reporting processes, and previous exercises have indicated that we report a significantly higher number of data breaches than other public sector bodies.”
The City of Edinburgh Council recorded 1,103 breaches and said the majority were “breaches of confidentiality”. They included the loss or theft of hardware, the disclosure of personal data to a third party, personal data on a public website, the misuse of data, and passwords being accessed or shared.
The council said it was “not aware of disciplinary action being taken against staff” and refused to say how many of its 18,000 staff had not completed GDPR training, stating it would be too costly to find out.
South Lanarkshire Council had 224 incidents with the ICO notified on four occasions. Police Scotland were informed of 12 breaches, the council said. Incidents included a laptop stolen from an employee’s car, a work phone stolen, bank details disclosed in error, and sensitive information being discussed in a public setting.
Dumfries and Galloway Council had 231 breaches including “sensitive information” being disclosed 47 times. One case involved “no parental permission sought to discuss child”.
Last year Scottish Borders Council apologised after a data breach. The council had been in the process of alerting 1,300 residents they were eligible for a payment due to their receipt of free school meals, but it sent three emails with all recipient email addresses visible to multiple individuals.
In 2012 the ICO fined Midlothian Council £140,000 for disclosing sensitive personal data about children and their carers to the wrong people on five separate occasions. One of them happened when papers about the status of a foster carer were sent to seven healthcare professionals, none of whom had any reason to see the information.
Miles Briggs MSP, the Scottish Conservatives’ local government spokesperson, said: “Local authorities hold many sensitive pieces of information on a whole host of individuals and services and it is crucial the public have confidence that this data is being robustly protected. Our councils are under ever-increasing pressure and have seen their budgets savagely cut year after year by the SNP Government.
He added: “These figures must serve as an urgent wake-up call for ministers. Our councils must be protected against the threat of cyber-attacks and data breaches and the public must be reassured that these breaches will stop becoming so common.”
Willie Rennie MSP, of the Scottish Lib-Dems, said: “Data breaches are a serious matter but these figures show that they are also a serial problem. Local authorities need to demonstrate that they are improving operating procedures to cut down on these breaches.
“In the case of serious breaches they will also need to ensure that people are notified and advised if there is further action that should be taken to minimise the risk of information being misused.”
An ICO spokesperson said: “People have the right to expect that all organisations handling personal data should do so safely and securely. We have a variety of tools available to us to improve compliance, ranging from working with authorities to taking enforcement action where necessary. We have regular engagement with local authorities in Scotland.”
A Scottish Government spokesperson said local authorities are responsible for their own information sharing process. “The Scottish Government expects public bodies to maintain good working relationships and meet UK GDPR obligations when sharing appropriate information,” the spokesperson added.
The Convention of Scottish Local Authorities did not respond to our request for comment.
Data protection training
Perth and Kinross Council said that it is not mandatory to complete data protection training, although “all staff are encouraged to do so”. It said 3,870 people have completed GDPR training and that 507 are in the process of doing so.
East Lothian Council said 59 per cent of its employees are up to date with training. Orkney Council said 112 staff have yet to complete the GDPR training, with a further 483 due for a refresher, out of a total of 1,513 employees who are required to take the course.
Aberdeen Council said that of 8,910 staff required to complete “information governance training”, with 1,888 individuals have yet to complete it. “Workers are currently required to refresh this training on an annual basis and we are currently developing a strategy to increase compliance with this,” the council added.
South Lanarkshire Council said 3,557 staff out of 15,171 in total have still to complete training, and East Ayrshire Council said 1,500 employees still have outstanding training needs.
Cover image thanks to Blogtrepreneur / Flickr