ICO reports increasing trend in self-reported data breaches in past five years

Out-Law News | 03 Sep 2012 | 8:00 am | 2 min. read

The number of organisations to have informed the UK's data protection watchdog about breaches of data protection laws that they have suffered has increased in each of the past five years, according to new figures released.

Statistics disclosed to data security firm Imation Mobile Security by the Information Commissioner's Office (ICO) under freedom of information (FOI) laws, and also seen by Out-Law.com, show that just 79 personal data security breaches were self-reported by organisations in the period of November 2007 to the end of March 2008. This compares with 821 such instances reported to the watchdog between April 2011 and the end of March this year.

The figure for 2012/13 is on track to supersede the 821 number, which was up from 603 for 2010/11 and 469 and 395 for the two years previous to that. In the three months since the beginning of April this year, 263 data breaches have been self-reported to the ICO.

A spokesperson for the ICO said that a range of factors, including heightened awareness of the watchdog's civil monetary penalty regime powers, were behind the increasing trend towards organisations self-reporting data breaches.

"Over the years we have provided practical support and guidance to organisations across the UK and are pleased that the health service and government sectors are now expected to report serious breaches, involving sensitive or large volumes of personal data, to our office," the spokesperson said in a statement. "We would urge other sectors to do the same by following our guidance on security breach management."

"Since 2010 we have also had the power to serve a monetary penalty for up to £500,000 on organisations that have seriously breached the Act and caused substantial distress and damage to those affected. All of these factors have played a part in increasing awareness of not only the legal requirements on organisations to keep people’s data secure but also the ICO’s role in enforcing these. However clearly for many organisations further work is still required to ensure security breaches do not occur in the first place," they added.

The statistics disclosed by the ICO reveal that there were 207 data breaches reported to the ICO by organisations in the NHS in the 2011/12 period, nearly double the 105 instances that were self-reported in the sector during 2008/09.

Businesses in the private sector self-reported 277 data breaches last year compared to 186 in 2010/11, and up from just 22 for the period of November 2007 to the end of March 2008. Personal data breach reporting has also increased substantially in local Government, with 188 breaches by bodies in the sector reported to the ICO last year, compared with 146 for the 12 previous months and 45 in 2008/09.

According to the ICO's figures covering April, May and June this year, health bodies owned up to 61 personal data breaches, compared to 21 by organisations in the education sector, 15 by central Government departments, 59 in local Government and 26 by general businesses.

Lenders and financial advisors also self-reported a total of 8 data breaches during the three months, whilst the ICO has also received notice of a personal data breach by an organisation involved with probation services and another in social services.

Police and criminal record bodies reported seven data breaches during the period. Hertfordshire Police has said it is investigating the publication on the internet of phone numbers and IP addresses belonging to officers in its Safer Neighbourhood Teams, according to a report by the BBC. The information stemmed from a police database.

"As a precaution these pages have been temporarily disabled whilst the circumstances as to how this information was obtained is investigated," a statement issued by the force said, according to the BBC's report. "There is absolutely no suggestion that any personal data relating to officers or members of the public has been, or could have been compromised. Nevertheless matters of IT security are extremely important to the Constabulary and an investigation is already under way."