Data security breached 9,000 times in government departments in just 1 year
The watchdog revealed the 17 largest departments recorded 8,995 data breaches in 2014-15, but that only 14 were reported to the Information Commissioner’s Office (ICO).
HM Revenue and Customs (HMRC) was the worst offender, with 6,041 breaches and just three reported to the ICO. Almost all of those not reported were “minor” breaches that “potentially had an impact on customers but were not managed centrally by the department.”
The Ministry of Justice (MoJ) had 2,801 breaches and also reported just three to the ICO.
Under the Data Protection Act, Whitehall departments can decide which personal data breaches to report to the ICO. However, the NAO said it was impossible to determine how serious the thousands of incidents not disclosed to the commissioner were.
“The lack of detail in the self-reporting data means it is not possible to determine how significant any of the 8,981 incidents (not reported to the ICO) were. The data reflect public reporting as signed off by accounting officers and highlight major variations in incident reporting processes across departments.”
The NAO said “chaotic” mechanisms for recording personal data breaches made departmental comparisons “meaningless.”
The report also found 73 teams and 1,600 staff with data security responsibilities were found to be operating without cohesion and governance. The Cabinet Office came under fire for failing to establish leadership in the area.
“None of the departments interviewed understood the specific roles of the various bodies involved, making it difficult to identify any single arbiter of standards or guidance,” the report said.
A Cabinet Office spokesperson said the majority of the data breaches cited in the report were “very minor” but said it needed to do more.
“The Cabinet Office conducted its own review of government security in early 2016 and many of our findings are consistent with the NAO report,” the spokesperson told the BBC.
“So we are already well under way in strengthening oversight of information security by bringing together nine separate central terms into just two.
“We have also appointed the government’s first ever Chief Security Officer to bring together all disciplines of government security under central leadership.”
Amyas Morse, head of the National Audit Office, said: “Protecting information while redesigning public services and introducing the technology necessary to support them is an increasingly complex challenge.
“To achieve this, the Cabinet Office, departments, and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.”