“To send a person’s financial records to the wrong fax number once is careless. To do so continually, despite being aware of the problem, is unforgiveable.”
So said our Head of Enforcement Stephen Eckersley, commenting on the £75,000 penalty issued to Bank of Scotland. But as the stats we’ve released today show, carelessness remains the cause of much of our business.
More than half of the 335 data breach incidents we looked at in the first quarter fall into the ‘disclosed in error’ category. That covers everything from emails being sent to the wrong people to information erroneously included in freedom of information responses, but invariably they can be described as careless. Our job, of course, is to then consider whether that carelessness extends to a breach of the Data Protection Act, and where it does, what action to take.
The breakdown of what type of data breaches are reported to us is one of the sets of statistics we’ve published today. As an enforcement team, we record a lot of statistics to help us to do the best job we can in dealing with data breaches. We felt some of those figures might be interesting to people outside of the ICO. As we update them each quarter the page will begin to show the trends that influence how we operate, both within enforcement and across the ICO.
The monetary penalty notice issued to the Bank of Scotland is the latest example of the action we’ve taken as a result of carelessness. But, depending on the seriousness of the breach, we can also issue enforcement notices (see our action against Powys County Council) or work with organisations to sign undertakings (Mansfield District Council and Prospect). All these actions were related to cases of personal data being disclosed in error and give examples of how stats like those we’ve published today have informed the work we do.
As well as the type of breaches we’ve seen, we’ve also identified the sector in which these breaches have occurred. It won’t surprise regular readers to see the health and local government top, as we’ve identified these as priorities in the past, and there’s an ongoing piece of work we’re involved with to try to get better access to help organisations in these sectors sooner. But the stats can be a little misleading here too: the NHS has their own rules that oblige any potential data breaches to be self-reported, while local government has similar guidelines. That means the two are always likely to be near the top of this table.
More interesting, perhaps, are the next two on the list: schools and solicitors/barristers. Both handle very different information, but much of it would be considered sensitive, and it’s crucial it’s being looked after properly. The purpose of publishing these stats is to get a feel for the trends, so we’ll be keen to see how the two sectors are performing in next quarter’s results.
Finally, as well as the graphs on the trends page (which we plan to add to as trends emerge each quarter), we’ve also published a spreadsheet of all of our civil monetary penalties. None of this information is new – it was all available on the monetary penalty notices themselves, but the spreadsheet brings all the details together for the first time. It’s something we’d been asked for on Twitter and when we’ve been at conferences, so we’re glad to put it together.
|Sally-Anne Poole manages the Civil Investigations team within the Enforcement Department. Sally-Anne’s team investigate breaches of the Data Protection Act, exercising the Commissioner’s powers of enforcement contained in part V of the Act, including civil monetary penalties.|