Amid a flurry of public sector data breaches, what will it take for the sector to crack privacy?

The Electoral Commission, NHS, and three police forces have all recently made headlines for compromising personal information. Here are five steps for public sector organisations to take now

By Emma Sheppard


August 2023

Things have gone from bad to worse for the public sector where privacy’s concerned. In the past month alone, the Electoral Commission revealed its database was breached last year, revealing the names and addresses of at least 40 million people. In Northern Ireland, the personal details of more than 10,000 police officers and staff were inadvertently published online by the police force as it responded to a routine freedom of information (FOI) request. Barts Health NHS Trust has become one of the victims of the ALPHV ransomware gang, which claims to have stolen 70 terabytes of sensitive data. Norfolk and Suffolk police has published the identifiable details of victims, witnesses and suspects of crime, again in a mismanaged FOI request. And now the Metropolitan Police has had a data breach at one of its suppliers.

Public sector organisations can be an attractive prospect for cybercriminals. Bodies such as NHS Trusts, councils, schools, and government departments hold and share extensive amounts of personal data, the nature of which means they’re often seen as more likely to comply with ransomware demands. Analysis of official data shows between 2020 and August 2021, around 40% of the 777 incidents recorded by the National Cyber Security Centre (NCSC) affected the public sector. 

But the sector can also be let down by a lack of budget, time-poor staff working remotely, and a digital skills gap that means employees make mistakes. 

In June 2022, the Information Commissioner’s Office (ICO) announced its intention to run a two-year pilot to reduce the impact of fines on public bodies. Instead, the Commissioner John Edwards, intends to issue reprimands, publicise lessons learned, and share good practice, with fines still being issued in the most serious of cases. Though he has received criticism for this approach since, he is steadfast in his intention to see the two years through. 

“[Fines] do not affect those responsible for the breach in the same way that fining a private company can affect shareholders or directors,” he said recently after Thames Valley Police (TVO) and the Ministry of Justice (MoJ) weren’t fined. The TVP was reprimanded for disclosing information that led to “suspected criminals learning the address of a witness” and the MoJ left 14 bags of confidential documents – including medical data of prisoners and security vetting details of staff – in an unsecure holding area of a prison for 18 days. 

“Perhaps most importantly, the impact of fines issued to the public sector is often visited upon the victims of the breach themselves, in the form of reduced budgets for vital services. In effect, people affected by the breach get punished twice,” Edwards added in his statement

But in the spirit of sharing best practice, here are five steps the public sector could take to get privacy right going forwards: 

1. Invest in training

Creating a privacy-first culture starts with regular staff training. Human error is thought to be responsible for around 82% of all data breaches. If you can help your workforce understand privacy, they will care about it. And if they care about it, they will do their bit to keep personal information safe. In both the TVP and MoJ cases, for example, the ICO noted there was a lack of awareness among staff about how sensitive data should be handled, despite there being relevant processes in place. Put privacy training high on the agenda, and make sure everyone completes it. Regularly. 

2. Review policies and processes

It’s suspected that in both the Police Service of Northern Ireland and the Norfolk and Suffolk police force cases, the FOI request was delegated to one member of staff, who published the response without any further checks. FOI requests should not exist in a silo. They often involve sensitive data, meaning that there should be a number of checks done before publication. Other changes to work environments, such as the adoption of new tools, devices and technology, and shift to hybrid work have changed the dynamics of many public bodies. Set clear standards to assess, prepare for, and mitigate risks to privacy, and regularly review the policies and processes in place to ensure they’re still fit for purpose and are being followed. The ICO also has advice on how to disclose information safely.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

3. Be aware of supply chain risks

Third-party suppliers and partners are often critical to delivering government services. But they can also pose a risk where privacy is concerned as we have seen with the breach at the Metropolitan Police. In addition, Ofcom, the UK’s communications regulator, has confirmed it was among the organisations affected by the recent MOVEit transfer breach, and a number of public bodies were caught up in the ransomware breach at Capita, which is responsible for billions of pounds worth of government contracts. Even public sector bodies need to spend time on supply chain mapping so they can see how data flows between them and suppliers. Are there opportunities to minimise the amount of data shared or who it’s shared with? Are there risks that can be better managed by a change to a process or contract? 

4. Act quickly

If a data breach does occur, it’s important to act quickly. It’s suspected that the recent breach at the Electoral Commission went undetected for a year and the body failed to notify the public for another 10 months. Under the UK GDPR, a data breach must be reported to the ICO within 72 hours if it poses a risk to the rights and freedoms of individuals, and those individuals may also need to be identified quickly. Having a data breach response plan in place helps everyone know what is expected if the worst happens, who should be notified, and timings around communication with the public.

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

5. Put a privacy programme in place

Privacy isn’t a one-off project that can be ticked off. It’s a way of being, a culture that involves everyone in the organisation. Get the right structure and processes in place and maintain an engaging privacy programme, which has everyone in your organisation asking the question ‘what does that mean for privacy?’ when decisions are made. Eventually, it will become second nature.

More to watch and read