Councils of despair
June 2018
Local Councils do not have a high reputation for efficiency, but you’d like to think that they take security seriously, especially the security of personal data. Whilst we may not trust them to cost-effectively run a picnic in a sandwich factory, we do expect that their general procedures and protocols should be of the best. They make enough fuss about Health and Safety, after all.
However, if you did think that, it seems you might be mistaken. At the recent Oldie Computer Seminar one attendee told us about a letter from their local Council advising that they had suffered a data theft which included the combination to the key safe outside his very elderly mother’s home. What especially concerned our reader was that this news came quite a time after the data theft had taken place.
In his case no harm was done, thank goodness, but a glance at the Information Commissioner’s website tells an unhappy story. In the last year alone, five councils have been fined a total of £510,000 (that’s our money, remember) for various transgressions, including, in one case, leaving vulnerable people’s personal information exposed online for five years; yes, five years.
Those are just the public breaches; a friend of mine, a veteran technical consultant, was hired by one County Council to advise them as they had deleted their entire historic payroll records. He was shocked to find the man in charge of the Council’s data had scant knowledge of computers; he had been moved from the transport department.
Now, we all make mistakes, and Councils will never be perfect, but what sets the good apart from the bad is how they try to prevent mistakes happening and how they act when they do.
That’s what makes a recent report by pro-privacy pressure group Big Brother Watch (BBW) all the more depressing. Using Freedom of Information requests BBW established that of 395 Councils approached, 114 suffered at least one cyber security breaches during the last five years and 25 admitted data had been stolen. Worse, more than half of them failed to report the breaches to the police, despite having a legal obligation to do so. Worse still, 75% of Councils only provide voluntary cyber security training for staff and 16% provide none at all.
There is also evidence that some Councils don’t even know what is going on. 126 Councils told BBW that they did not experience any Cyber-attacks at all during the five years. This seems astonishingly unlikely; even the Government’s own study in 2015 said that ’33,000 malicious emails are blocked from accessing public sector systems every month’. I simply don’t believe that the 126 Councils suffered no attack for a full five years. I do believe that they have no idea if they have been attacked or not.
It’s very worrying and is high time that these guardians of the public data realised what the perils are and took steps to safeguard the data properly and consistently. It’s not difficult; make sure you have the best equipment and keep it updated, establish the best protocols and train your staff properly. It doesn’t sound like too much to ask.
The trouble is, getting it right involves spending money with no visible outcome (no buildings, schools or parks) and Councillors can’t see themselves getting OBEs just because there was no security breach. It’s certainly true that most Councillors I come across, though many are good in heart, have lamentable technical skills. They just don’t understand the risks.
Maybe we should introduce a new Order of Chivalry, The Order of the Protector of the Data, given each year to the Council data managers with the fewest breaches. That might wake them up a bit; Councillors love a trip to Buckingham Palace.
You can download the BBW report from this link
You can read more about BBW from this link
Read about the Information Commissioner's enforcement decisions from this link.
