Government reports data breaches
Research by Apricorn (www.apricorn.com), the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives has revealed that government departments have reported thousands of personal data breaches and numerous notifications to the ICO between 2019-2020 according to Freedom of Information (FoI) requests and data from annual reports of 17 public bodies.
In its annual report and accounts 2019 to 2020, the Driver and Vehicle Licensing Agency's (DVLA) revealed it had submitted a total of 181 notifications to the Information Commissioner’s Office (ICO) in the past year alone. Additionally, FoI requests submitted to HM Passport Office (HMPO) disclosed that between 1 August 2019 and 31 July 2020, the Office of the data protection officer (DPO) received 1,291 Data Incident Reports in relation to HMPO, 1,280 of which were assessed as Personal Data Breaches.
“It may be that these departments are dealing with thousands, even millions, of records containing personal data or sensitive information, but given this, and the fact these are public bodies, we should certainly be concerned,” says Jon Fielding, Managing Director, EMEA Apricorn.
“Whether these are minor breaches that required no further action or not, it is clear that more needs to be done and departments need to be considering the tools necessary to bring this number down in years to come.”
According to the ICO’s Annual Report 2019-2020 there were 11,854 personal data breaches reported to the ICO in 2019-20. This is concerning given the fact that this accounts for only those that require notification . For instance, the Home Office Security annual report noted a huge 4,204 incidents were recorded in 2019-20, but just 25 were highlighted as particularly severe meaning that the ICO had to be notified.
NHS Digital shared breach information in its 2019-2020 annual report and accounts showing that there were 38 incidents during 2019-20 that were classified as personal data breaches under the General Data Protection Regulation (GDPR) and the ICO guidance. Of those, 17 related to employee data and 21 related to patient data. During this period, four of the personal data breach incidents were reported to the ICO.
“The large number of data incidents being reported may be in part due to the increased awareness and changes in processes when identifying and managing data breaches. The change in requirements in line with the GDPR will of course see a rise in the numbers now being reported to the ICO. The increase in remote working through Covid will also have introduced more security concerns with an upsurge of information on the move,” continues Fielding.
“Needless to say, if the data is secure in the first instance, the number of breaches, and the need to report them, would obviously decline. Public sector bodies should follow the same process as any business would when it comes to mitigating risk. At the very least, data should be encrypted in transit and at rest so that, in the event defences are compromised, the data remains inaccessible.”
In some cases, government departments failed to provide responses to Apricorn’s FoI requests on time, or noted that the cost of dealing with them would exceed the appropriate time limit set. “This process needs to be managed more efficiently and effectively by the departments concerned. The requests may not always be entirely straightforward, but where your data resides, and whether it has been put at risk, should be well documented, while information stored in a central database should be easily accessible, and not require multiple days to recover,” concluded Fielding.