Public Services > Local Government

Local government makes progress on countering data breaches

Published 25 October 2016

Egress chief executive Tony Pepper says a 20% drop in data breaches for local government is good news, but there is still work to do


Despite the doom and gloom headlines, local authorities do seem to be getting better at data protection. A Freedom of Information request submitted to the Information Commissioners Office (ICO) over the summer found a 20% drop in breaches in the sector over the past two years. Great news. However, the same FoI also showed that local government is still second in line – after healthcare – for having the most reported data breaches across industries. So while local authorities should be commended for getting things back on track, there are still challenges to overcome.

The threat from within

Local authorities deal with highly sensitive information on everything from healthcare to child protection and disability services. That’s the kind of data that could have severe repercussions if it ends up in the wrong hands. And as e-government plans continue apace, there’s more data being stored, processed and transferred digitally than ever before.

That represents a tantalising prospect for the legions of cybercriminals out there keen to benefit by stealing and selling this data on the dark web. They’re getting pretty good at it too. In fact, across all sectors, breaches reported to the ICO have increased 66% since 2014.

But despite the media’s preoccupation with the external cyber threat, in truth the vast majority of breaches come as a result of something going wrong inside the organisation. That same FoI request found that human error accounted for nearly two-thirds (62%) of incidents reported to the ICO in a three-month period this year. To put that in perspective, insecure webpages and hacking stood at just 9% combined.

The risk from insider mistakes is magnified by the increasingly mobile nature of a typical local authority workforce today. As data is shared between a growing number of devices and locations so the risk of it ending up in the wrong hands increases. Unfortunately, not everyone is as tech-savvy as IT managers would like. When combined with workplace pressure fomented by austerity cuts, this can create an additional risk that data protection policies may be ignored. It’s a problem that requires a combination of people, process and technology to solve.

Flintshire County Council recently highlighted another key issue local government face, in terms of being required to share a range of personal information with authorised third parties, including NHS and blue light organisations, legal advisors, and care providers. And this is common across all local government. While typically organisations might have a system set up to encrypt data shared internally, many don’t have such a system to share data with external partners, meaning sensitive information is often sent unprotected.

Fines are coming

How is this affecting the average local authority? Unlike private sector firms, they don’t run the risk of losing ‘customers’ or seeing a share price decline following a breach. But there’s the very real risk of punitive fines from the Information Commissioner’s Office. Incoming Commissioner Elizabeth Denham has only been in the job a few months but has already signalled a tough approach to enforcement by levying a £400,000 fine against erring ISP TalkTalk.

And things could be about to get a lot worse, with the EU General Data Protection Regulation (GDPR) set to land in May 2018. With it will come strict new compliance requirements which will raise the stakes when it comes to data protection. Organisations will be required to notify the ICO of any breach within 72 hours. And fines for non-compliance will rise to a maximum of €20 million (£18m) or 4% of annual worldwide turnover – whichever is higher. A hefty fine from the ICO is the last thing our cash-strapped public sector needs. And for those hoping for a Brexit get-out clause, it’s more than likely that even after the UK leaves the EU, which could take years, parliament will seek to harmonise its own laws with the regulation.

Safety first

So how can public sector IT leaders manage the risk of data loss in an effective manner which won’t break the bank?

It’s important that data is protected throughout its lifecycle, from creation to archive. This means taking the time out to better understand that data – how it’s used, who it’s shared with and how much of it is sensitive. Classifying your data based on content is the first step towards better control and will ensure you only apply security where needed for maximum efficiency.

The second step is to create policies and procedures which outline how sensitive data should be treated. Policies must be clear, simple and unambiguous. The next challenge is to communicate them to staff in a way which they will understand and remember. Only by doing this will those policies – in combination with smart technology – provide an effective safety net against human error.

Once data has been classified and policies drawn up you can start thinking about security controls. Look for advanced encryption services which not only protect sensitive data but also prevent it from being shared erroneously and provide an audit trail to satisfy compliance requirements. Some tools even have the ability to revoke recipient access once a message has been sent outside the organisation to reverse mistakes. Victim Support  goes even further to ensure the correct level of protection is applied – with prompts appearing onscreen if confidential information is ever at risk of being sent without appropriate measures to help guide user behaviour.

Then it’s all about creating a single secure framework via which to share sensitive data with trusted third parties. For example, Suffolk County Council uses encryption that is free for recipients; so that it can securely share sensitive information with police, health and social care providers, without forcing them to invest in special technology. This way they can set the bar on security without having to create a financial burden for partners.

The UK’s public sector does a fantastic job with limited resources, and it’s getting better at data protection. But to stay on this path and head off the growing challenges of data sharing and insider risk, it’s vital to get in place the right combination of policy, procedure and smart technology.

Tony Pepper is chief executive of Egress

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.