After five years of GDPR and three years of hybrid working, you’d expect organisations to have improved their data handling and device security. But in the public sector, losses are still running high. A Freedom of Information (FOI) request conducted by Apricorn revealed that central and local government losses have gone up for a third year in a row, despite the implementation of cybersecurity policies.
Among central government departments, Her Majesty’s Revenue and Customs (HMRC) was the worst offender last year, declaring 635 lost and stolen devices, including 387 mobiles, 244 tablets and four USB drives, a 45% increase on the numbers shared for the same period in 2020-2021 (346) and 40% more than 2019-2020 (375). The Department of Business, Energy and Industrial Strategy admitted to 204 lost and stolen devices – almost double the 107 declared in the previous year and the Prime Minister’s Office reported 203 misplaced devices.
“The Prime Minister’s Office reported 203 misplaced devices last year”
Local councils disclosed almost 1500 data breaches, declaring 600 devices were lost or stolen last year. Suffolk County Council amassed 651 incidents, while Warwickshire County Council declared 367 breaches, North Yorkshire County Council 259 breach incidents, Essex County Council 168, Oxford 31, and East Sussex 13 breaches. Hampshire County Council also admitted to the loss or theft of more than 168 devices.
If that data isn’t bad enough, it appears the processes used to hold these organisations accountable are now being undermined.
Many of these organisations exploit loopholes to avoid disclosure by citing various section clauses from the Freedom of Information Act (FOIA). Of the 41 government departments and local councils approached, 33 responded, with 20 declining to answer some (or all) of the questions posed. Of these, 12 cited section 31 of the FOIA, which is usually referenced when the disclosure of information would expose a department to potential threats of a criminal nature. Others cited Section 12, which allows requests to be refused on the basis that the cost of dealing with them would exceed £600, which is the estimated cost of one person spending 3.5 working days in locating, retrieving and extracting the relevant information.
Given that data retrieval should be getting more efficient, this increase in declining based on cost marks a worrying trend. If true, it also suggests that data incidents aren’t being recorded accurately. Moreover, given that some of those declining to answer had previously responded to identical FoI requests in past years, this suggests a move away from transparency, potentially in a bid to hide the extent of failings.
“In the interest of the public purse, fines will only be issued in the most serious cases, making the regulator largely toothless”
Over the past two years, there have been multiple cases of government departments refusing or blocking requests for public information. In fact, records published in April show that less than 40% of FOI requests logged in 2022 were granted in full, with more than half partially or fully withheld. An investigation in 2021 found that government departments had spent at least £500,000 since 2016 trying to block the release of information under transparency laws.
There are, however, notable exceptions. Kent County Council, which disclosed six data breaches and 55 lost or stolen devices, were able to provide detailed information about all breaches. This included full details of the incident, those involved, the times the breaches were disclosed, the volume of data exposed, details of which breaches were escalated to the Information Commissioner’s Office (ICO) and the current status of the incidents.
Enforcement regulation also appears to be weakening. In June last year, the ICO stated its intention to take a lighter touch to GDPR compliance in the future. In the interest of the public purse, fines will only be issued in the most serious cases, making the regulator largely toothless. However, it also reemphasised its commitment to promoting openness by public bodies.
However, the UK GDPR, the replacement for EU GDPR, is looming on the horizon. Currently wending its way through parliament under the guise of the Data Protection and Digital Information Bill, it proposes to abolish the requirement to keep Records of Processing Activity (ROPA) to do data protection impact assessments or to have a data protection officer (DPO) (unless the organisation is processing high-risk data; a definition for which has yet to be determined). The definition of Personally Identifiable Information (PII) is also much narrower. If approved, the changes could see data protection requirements substantially reduced.
The evasiveness of public bodies, together with a reduction in regulation, does not bode well. Such developments make the sector less accountable, make it more challenging to assess and evaluate if cybersecurity policy works, and provide no incentive to improve. Consequently, we could regrettably end up back in the dark days before GDPR.