The State of the State: U.K. Government Data Breaches

Government data breaches are very much a parochial problem in the U.K., causing indignation in widespread locales.  In its recently published Annual Report for 2012/13, the Information Commissioner’s Office (ICO) states that data leaks by local authorities are a priority area for the data protection body.  The ICO receives both individual complaints and declarations of self-reported data breaches from public and private entities.


Courtesy of Reincubate’s Keep Calm-O-Matic,

I first became interested in this issue of U.K. government data breaches because of a big fat number that was highlighted with journalistic fervor last year: 1,000 %.  Many sources reported that a Freedom of Information (FOI) request by Imation, an American scalable storage corporation, uncovered the finding that U.K. government data breaches were up by an astonishing 1,000 %.   Check out some of those attention-grabbing headlines:

In reality, this number was a murky one because it did not reflect actual data breaches, but was merely a comparison of self-reported data breaches made to the ICO.  The rising trend in self-reporting was a result of increased awareness of legal requirements and most importantly, the ICO’s nascent power, as of 2010, to levy fines of up to GBP500,000 for a single data breach.  It was fairly reported by, which refrained from using that astonishing (and misleading, don’t you think) 4-digit number: ICO reports increasing trend in self-reported data breaches in past five years.  The most accurate conclusion based on this one FOI request was that there was a commendable improvement in self-reporting by entities in the health and education sectors, central and local governments, and private businesses.

Since then, however, local government continues to struggle with the actual prevention of data leaks.  By the end of 2012, the ICO stated, “There is an underlying problem with data protection in local government.”  (Local councils fined over £300,000 for losing personal data).

The ICO’s criticism was instigated by its fining of four councils for the breach of sensitive personal data within two months.  During the year of 2012, 20 of 31 total ICO fines were directed to councils, boroughs, and local police or constabulary.

In focusing on local data breaches, the ICO is led by both self-reports and individual complaints.  During the past reporting year (April 2012-March 2013), the ICO received 13,802 new individual data protection complaints.  It processed a total of 14,042 complaints (including complaints filed in the previous year).  Its practice is to use these complaints as a catalyst for institutional action and communication with co-regulators (Annual Report at p. 20).  As seen below, 11 % of data protection complaints to the ICO stemmed from local government (Annual Report at p. 21).  Two-thirds of ICO fines were levied on the health and local government sectors (Annual Report at p. 32).


The ICO considers local authorities and criminal justice organizations to be “ICO priority areas” and conducted a “significant” number of its privacy audits of these data controllers.  In fact, the ICO offers free audits to public sector organizations and highly recommends them (Annual Report at p. 16).  Anecdotally, it appears that many local authorities still need to take up the ICO on this offer, which leads me to an interesting subplot here.

Returning to the matter of FOI requests, the ICO is particularly concerned about sloppy bureaucratic responses to these data requests.  ICO blog: The risk of revealing too much (June 28, 2013).  My goodness, aren’t these requests useful for stirring up agitation and news postings.  Apparently, council members often release Excel spreadsheets of data without properly redacting all the underlying, non-requested, sensitive personal data.  A private sector website, WhatDoTheyKnow is so uncomfortable being the intermediary for these accidental publications that it has published a statement exhorting authorities to be more careful in responding to FOI requests:

“We have recently, though, come across a type of mistake public bodies have been making which we find particularly concerning as it has been leading to large accidental releases of personal information. (…)  We have seen a variety of public bodies, including councils, the police, and parts of the NHS, accidentally release personal information in this way. While the problem is clearly the responsibility of the public bodies, it does concern us because some of the material ends up on our website (it often ends up on public bodies’ own FOI disclosure logs too).”

MySociety Blog: WhatDoTheyKnow Team Urge Caution When Using Excel to Depersonalise Data (June 13, 2013)

This is not a new issue.  MySociety blogged (A Private Data Leak by Islington Council – mySociety’s Statement, 26 July 2012) about Excel worksheets and hidden tabs one year ago.  Let’s hope this is not going to be an annual affair – summertime, British councils and Excel data breaches – not a fabulous combination.  Keep up the good work, ICO.

Annie C. Bai


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

  • Blog authors

  • Copyright notice

    © Copyright 2010-2014 "Information Security Breaches & The Law".
    All rights reserved, unless noted otherwise under each author's post, page or other material.
    If you would like to discuss licensing terms, contact us at: info [at] security-breaches [dot] com.

  • Enter your e-mail address here to follow this blog and receive notifications of new posts by e-mail.

  • The “Global Information Security Breach Professionals” Group on Linkedin

  • Wordpress Blog Stats

    • 46,822 hits
%d bloggers like this: