Disclosures of data in error to blame for more than half of breaches: ICO

Disclosures of data in error accounted for more than half of breaches in the first quarter of 2013/14, the Information Commissioner’s Office has reported.

There were 175 such incidents out of a total of 335. Other frequent types of breach were:

  • Lost or stolen paperwork (42 incidents);
  • Lost or stolen hardware (29);
  • Technical security failing (27);
  • Other non-information security incident (18);
  • Other information security incident (17);
  • Non-secure disposal – paperwork (12); and
  • Uploaded to website in error (7).

The health sector accounted for the highest number of data breach incidents at 91. This was followed by local government, with 57.

Other significant sectors included education (25), solicitors/barristers (20), general business (14) and charities (14).

Writing on the ICO’s blog, Sally-Anne Poole, Enforcement Group Manager (Civil Investigations) for the watchdog, said the ‘disclosed in error’ category “covers everything from emails being sent to the wrong people to information erroneously included in freedom of information responses, but invariably they can be described as careless”.

She added: “Our job, of course, is to then consider whether that carelessness extends to a breach of the Data Protection Act, and where it does, what action to take.”

On health and local government appearing at the top of the table, Poole said: “It won’t surprise regular readers to see [these sectors] top, as we’ve identified these as priorities in the past, and there’s an ongoing piece of work we’re involved with to try to get better access to help organisations in these sectors sooner.

“But the stats can be a little misleading here too: the NHS has their own rules that oblige any potential data breaches to be self-reported, while local government has similar guidelines. That means the two are always likely to be near the top of this table.”

She added that it was more interesting to see the next two on the list: schools and solicitors/barristers. “Both handle very different information, but much of it would be considered sensitive, and it’s crucial it’s being looked after properly. The purpose of publishing these stats is to get a feel for the trends, so we’ll be keen to see how the two sectors are performing in next quarter’s results.”