Local councils lose personal details of 160,000 people


Local councils have lost data relating to personal details of more than 160,000 people in the last five years, a Bureau investigation can reveal. More than 26,000 individuals have had their personal details lost in the first half of 2011 alone.

The losses include personal details of more than 5,000 children.

CVs, housing benefit information, passport numbers, information on vulnerable people and an encrypted version of a local electoral register were amongst the various losses that councils admitted.

One council, Worcestershire, even admitted losing people’s bank details, in an incident that involved the loss of a contractor’s laptop that contained information relating to 16,200 staff in 2007.

In many cases councils have also failed to inform people affected by the loss.

Some of the most disastrous data breaches appear to have occurred as a result of councils failing to encrypt or protect portable storage devices such as CDs or USB memory sticks.

The Bureau’s research has shown that close to 70% of all data breaches over the last five years can be attributed to the loss of just five USB sticks. Four of them had no electronic protection and were never recovered.

In May, Rochdale Council reported that an unencrypted USB stick including personal data and housing information on 18,904 people was lost. None of the victims have yet been informed, and no disciplinary measures have been implemented.

Rochdale Council declined to comment on the case, which remains under investigation by the ICO. However, a spokesperson claimed that the majority of the misplaced information was already in the public record.

The Bureau’s research has shown that close to 70% of all data breaches over the last five years can be attributed to the loss of just five USB sticks. Four of them had no electronic protection and were never recovered.

The largest single breach occurred in 2009, when Birmingham City Council discovered that an unencrypted USB stick containing the personal and contact details of 64,000 council tenants had gone missing. The data included addresses, dates of birth, contact details, ethnic origin and tenancy details. In this instance the victims of the breach were informed.

A Birmingham City Council spokesperson said that since the incident occurred, ‘the security of all USB sticks used by staff has significantly increased. They are now password-protected, so access to data will not be possible due to security protection.’

Since April 6 2010 the Information Commissioner’s Office has been able to fine organisations up to £500,000 for serious breaches of the Data Protection Act. Under the new provision Surrey, Ealing, Hounslow and Hertfordshire councils have all received fines between £70,000 and £120,000. The other two fines relate to an anti-piracy lawyer and a private contractor.

Identity crime increasing
Identity crime is becoming increasingly frequent. According to CIFAS, a UK body that advises on the risk of identity theft and fraud, the number of victims of online identity fraud has risen from 62,000 in 2009 to 89,000 in 2010. A report published by the organisation found that identity fraud accounted for nearly half of all fraud cases last year.

Richard Hurley, communications manager for CIFAS said: ‘Phishing attacks, data breaches and social engineering are all methods that have received much media attention in recent years which are utilised by fraudsters in order to access or obtain information and personal data.’

Hurley also warned that councils who failed to inform residents that they had lost their personal data would be guilty of neglecting a ‘fundamental duty of care’.

He said: ‘If an individual is unaware of their data being breached, then their service providers will also be unaware. If the organisation then receives an application that looks and seems genuine, filled with correct data, then how is it to know that the application is not genuine?’

A spokesman from the ICO said: ‘Local authorities and their staff can have access to substantial collections of often highly sensitive personal information. It is therefore important that these organisations have the necessary security measures in place to keep this information secure, as well as meeting their other obligations under the Data Protection Act including making sure that the data held by the authority is not excessive and is only retained for as long as is necessary.’

The Bureau submitted Freedom of Information requests to all local councils, asking for details of all incidents in which personal data was lost since 2005.

The scale of the problem is likely to be far higher than that reported as some councils appeared to be making little effort to record the detail of data breaches.

The Royal Borough of Windsor and Maidenhead reported 15 incidents in which data was lost, but could not report how many individuals were affected, had informed none of the victims and had recovered none of the data.

Bradford and East Riding councils refused to disclose any of the information we requested.