A Scottish council which boasted of its high data protection standards had more than 200 data breaches in two years and hundreds of staff had not completed compulsory data protection training, The Ferret can reveal.
In a response to a freedom of information request, Aberdeenshire Council revealed there were 243 data protection failures between January 2020 and March 2022.
There has been a significant increase in data breaches at the council in recent years, from just eight in 2015-16 and 2016-17, increasing to 28 in 2017-18, and 67 the following year. Since then, there have been more than 100 data breaches annually.
One victim whose data was accessed by council staff told The Ferret: “These figures are really concerning. There needs to be a major overhaul of this council by external bodies, and new councillors need to ask serious questions about what is going on.”
“Training has clearly not worked nor is it a deterrent. Those breaking clear IT policies need to be removed from public jobs”.
The Information Commissioner’s Office (ICO) said that people have the right to expect organisations to comply with data protection law when handling their personal information.
Aberdeenshire Council said the majority of breaches “are minor and accidental” and that every incident is “taken very seriously”. Data protection training is compulsory within all services, the council added.
The council’s data protection statement promises personal data security, stating it is “committed to making sure your personal information is safe and protected from … inappropriate access, misuse or theft.”
The statement goes on to say the council makes “sure our staff are well trained, informed and security aware to minimise privacy risks from human error and threats from unauthorised access to your data”.
A November 2021 Data Protection report by Aberdeenshire’s data protection officer said that 66 per cent of breaches in the previous year had been down to “lack of due care when using email accounts”.
The report also revealed that 2327 staff had not completed mandatory data protection training including 1936 with the council’s Education and Children’s Services department.
Aberdeenshire Council confirmed it is a condition of employment that staff observe data protection laws.
A council spokesperson said: “Any data breach is taken very seriously, and data protection training is compulsory within all services. While the majority of breaches are minor and accidental, the principles of safe practice remain the same and staff are regularly reminded of the importance of managing data safely and securely”.
In response to the figures on data protection training, the spokesperson said: “The majority of staff within Education and Children’s Services have completed data protection training. Training is only recorded once per person and, due to the relatively high number of people with more than one job within the service, the number of non-completions is artificially high. Nonetheless, we continue to work with teams to ensure that anybody who has not completed training does so as soon as possible”.
A spokesperson for the ICO said: “Public authorities have access to a great deal of personal data, so they must ensure they too have the appropriate measures and training in place to ensure people’s information is handled responsibly and securely.
“Not all data breaches need to be reported to the ICO… We do however expect public authorities to have robust data breach recording and reporting mechanisms in place as investigations into breaches are important compliance measures and allow public authorities to gauge the severity of a personal data breach and take appropriate action.”
Jude McCorry, CEO of the Scottish Business Resilience Centre, said up-to-date knowledge of security was necessary and that organisations must protect data.
She added: “The value of data that organisations are based on is the equivalent to gold for opportunistic cyber criminals. It is vital that organisations ensure that they have robust cyber and data protection strategies”.
Aberdeenshire councillor Andrew Hassan, of the Education and Children’s Services Committee, said: “I have always been assured council staff at all levels across all departments have access to full training which includes data protection – and regular appraisal at the correct time”.
Read more from The Ferret on data breaches, local councils and security by clicking here.
Data protection at Aberdeenshire Council was in the spotlight recently after its head of education and chief education officer, Vincent Docherty, was revealed to have breached freedom of information rules by emailing a firm suggesting it could lose out on work with the council, after one of its employees had put in an FOI request about him.
The email was later withdrawn and a Scottish Information Commissioner (SIC) ruling found the council had not complied with the FOI code.
Following Docherty’s actions, the SIC issued a formal Practice Recommendation to Aberdeenshire Council in December 2021, only the third time such a recommendation was made.
Aberdeenshire Council said it accepted the findings of the SIC and that the matter “has been dealt with internally with the requested training having been provided”.
The SNP, Scottish Labour, and Scottish Liberal Democrats were invited to comment but did not respond. The Scottish Conservatives declined to comment.
Photo Credit: iStock/phillyskater
Many thanks to The Ferret for bringing this to light. I would like to add that Docherty should never have been made aware of who sent the FOI. The FOI was not sent from a company email address, nor did it mention the company name – so Docherty used jigsaw identification to ‘out’ the FOI querent to their employer. That’s where the outrage is for me.