Councils in the UK have lost or wrongly shared the sensitive personal information of tens of thousands of people, according to a damming report.
Officials are accused of breaching data rules at least four times a day, often involving the confidential details – including medical records – of countless adults and children.
The ‘shockingly lax attitudes’ that local authorities show towards protecting private records is exposed in a study by the civil liberties group Big Brother Watch.
The privacy campaigners found councils committed 4,236 data breaches between April 2011 and April 2014, compared to 1,035 times in the previous three years – a dramatic four-fold increase.
In many cases, a single breach would involve the disappearance, theft or inappropriate sharing of the personal information of hundreds or thousands of people.
In one incident, a social worker in Lewisham, south-east London, left a bundle of papers containing confidential records about ten children on a train, including names, addresses and information relating to sex offenders and child protection reports.
Another saw Glasgow City Council fined £150,000 by information watchdogs following the theft of two unencrypted laptops that held 20,143 names and addresses along with the bank details of more than 6,000 people.
Despite the scale of the problem, just one council employee has been prosecuted.
Paul Hedges, a leisure centre boss for Southampton City Council, was fined £4,300 in 2013 after stealing files with the personal and medical details of nearly 2,500 clients for his own use after learning he was to be made redundant.
Now Big Brother Watch has called for prison sentences to be introduced for the most serious breaches of the Data Protection Act. Incredibly, just one in ten led to disciplinary action, including only 50 dismissals.
Emma Carr, the group’s director, said: ‘A number of examples show shockingly lax attitudes to protecting confidential information. For so many children and young people to have had their personal information compromised is deeply disturbing.
‘With only a tiny fraction of staff being disciplined, this raises the question of how seriously local councils take protecting the privacy of the public.’
The report, based on responses to Freedom of Information requests, said data was lost or stolen on 401 occasions, while more than 5,000 letters were sent to wrong addresses or contained personal information meant for someone else.
Some 658 cases involved personal data linked to children, yet more than two in three incidents led to no disciplinary action at all.
Breaches included an unencrypted laptop containing the details of 200 schoolchildren being stolen from Aberdeenshire City Council and an employee in Thanet, Kent, being dismissed for accessing benefits records ‘inappropriately’.
Researchers found a total of 197 mobile phones, computers and USB memory sticks were lost or stolen. Of these, 148 – or 75 per cent – took place in Glasgow.
Big Brother Watch has now called for harsher penalties for serious data breaches, including criminal records for those who are found guilty, better training and reporting procedures.
A spokesman for the Local Government Association, which represents all councils in England and Wales, said: ‘Councils take data protection extremely seriously and staff are given training in handling confidential data.
‘Given the huge volume of data councils handle, breaches are proportionately rare. When they do occur, robust investigations and reviews are undertaken to ensure processes are tightened.’
It is clear that employees dealing with personal data must receive appropriate training to understand their legal obligations and responsibilities towards personal data.
Data Protection Awareness online training from Cardinus will ensure that any personal data that your organisation might hold is processed and protected appropriately.
Email email@example.com or call 020 7469 0200 for a demonstration.