Breaches of the Data Protection Act reported to the Information Commissioner’s Office (ICO) are only a tiny fraction of the true number of such incidents happening across the UK. That’s according to a series of Freedom of Information requests from security and communications specialist ViaSat UK.
While 1,089 breaches were reported to the ICO between March 2014 and March 2015*, police forces across the UK reported at least 13,000 thefts** of devices that could hold sensitive data from businesses – meaning that there are thousands of potential incidents going unreported.
Since the current Data Protection Act contains no legal obligation to report breaches and has no specific security requirements included, there’s no way of knowing whether any of these thefts place the population’s myriad sensitive data at risk.
“We must remember that 13,000 thefts is the bare minimum,” asserted Chris McIntosh, CEO at ViaSat UK. “Considering that not all police forces could share this information, the real figure is likely to be many times greater. As a result, thousands of individuals’ private data could well be on borrowed time.”
McIntosh continued: “It’s clear that this discrepancy isn’t due to the ICO but the framework within which it has to operate. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported or that risk is minimised. For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence that none of the 13,000-plus stolen devices represent a threat.”
Breaches in business sectors
The majority of breaches reported to the ICO came from the healthcare sector, which was responsible for 431 in total. The next highest was local Government with 129. Indeed, between them these two sectors, which mostly represent public sector organisations, accounted for 51% of all reported breaches*** and the greatest number of undertakings enforced by the ICO****.
With other mainly public sector organisations – such as education and law enforcement – accounting for a significant number of reported breaches, the statistics suggest that the private sector is still greatly under-reporting the number of potential breaches it encounters.
“The ICO’s role is to encourage Best Practice in data protection,” stated McIntosh. “While it’s clear that the organisation’s financial penalties are aimed at this mission, the ICO still needs more legal and financial muscle to drive its goals forward. While compulsory reporting of every single potential breach could be difficult to enforce, inevitably it would give the ICO a clearer view of the problem and allow it to better mandate Best Practice. However, in the meantime compulsory encryption, and the power to police it, is the absolute minimum that the ICO should be granted.”
*The total of self-reported data breaches to the ICO between 12 March 2014 and 12 March 2015: 1,089. That figure between 1 March 2013 and 28 February 2014 was 1,274 and for the period from 8 March 2012 and 8 March 2013 the total is 1,150
The total value of monetary penalties issued by the ICO for self-reported data breaches between 12 March 2014 and 12 March 2015: £1,142,500. The corresponding statistic for the period 1 March 2013 and 28 February 2014 is £1,230,000 and for 8 March 2012 to 8 March 2013: £2,610,000
**Number of thefts reported from businesses to 18 UK police forces between 1 March 2014 and 28 February 2015 (inclusive): 67,677
Number of thefts of devices capable of holding sensitive information: 13,079
***Top five sectors for self-reported data breaches 2015-2015: Healthcare (431), Local Government (129), Education (86), General business (72) and Solicitors/Barristers (55)
****ICO undertakings 2014-2015 by sector: Local Government (24), Healthcare (14), Policing and Criminal Records (6), General business (4), Media (3), Estate Agents (2), Leisure (2), Lenders (2), Solicitors/Barristers (2), Education (1), Financial Services (1), Housing (1) and Recruitment Agencies (1)
*****Number of self-reported data breaches 2014–2015 by type: Disclosure of data (689), Security (375), Inaccurate data (6), Use of data (5), Breach of Section 55 of the Data Protection Act by an individual (4), Subject access (3), Obtaining data (3), Retention of data (3) and Excessive/Irrelevant data (1)
******Number and value of monetary penalties 2014-2015 by breach type: Security (five penalties totalling £812,500), Use of data (two penalties totalling £150,000), Disclosure of data (one penalty totalling £180,000)
ViaSat UK contacted the ICO requesting statistics on self-reported data incidents between 12 March 2014 and 12 March 2015, broken down by type and sector.
In addition, ViaSat UK contacted each of the police forces in the UK to request statistics on thefts between 1 March 2014 and 28 February 2015 (inclusive). The company requested information on the number of thefts where computing and communications equipment capable of holding sensitive data had been stolen, and whether thefts had been reported from individuals or organisations.
Of the 34 forces that responded, not every force was able to provide the full information needed. As a result, statistics are based only on the 31 forces that could give precise and verified detail.