Things have gone from bad to worse for the public sector where privacy’s concerned. In the past month alone, the Electoral Commission revealed its database was breached last year, revealing the names and addresses of at least 40 million people. In Northern Ireland, the personal details of more than 10,000 police officers and staff were inadvertently published online by the police force as it responded to a routine freedom of information (FOI) request. Barts Health NHS Trust has become one of the victims of the ALPHV ransomware gang, which claims to have stolen 70 terabytes of sensitive data. Norfolk and Suffolk police has published the identifiable details of victims, witnesses and suspects of crime, again in a mismanaged FOI request. And now the Metropolitan Police has had a data breach at one of its suppliers.
Public sector organisations can be an attractive prospect for cybercriminals. Bodies such as NHS Trusts, councils, schools, and government departments hold and share extensive amounts of personal data, the nature of which means they’re often seen as more likely to comply with ransomware demands. Analysis of official data shows between 2020 and August 2021, around 40% of the 777 incidents recorded by the National Cyber Security Centre (NCSC) affected the public sector.
But the sector can also be let down by a lack of budget, time-poor staff working remotely, and a digital skills gap that means employees make mistakes.
In June 2022, the Information Commissioner’s Office (ICO) announced its intention to run a two-year pilot to reduce the impact of fines on public bodies. Instead, the Commissioner John Edwards, intends to issue reprimands, publicise lessons learned, and share good practice, with fines still being issued in the most serious of cases. Though he has received criticism for this approach since, he is steadfast in his intention to see the two years through.
“[Fines] do not affect those responsible for the breach in the same way that fining a private company can affect shareholders or directors,” he said recently after Thames Valley Police (TVO) and the Ministry of Justice (MoJ) weren’t fined. The TVP was reprimanded for disclosing information that led to “suspected criminals learning the address of a witness” and the MoJ left 14 bags of confidential documents – including medical data of prisoners and security vetting details of staff – in an unsecure holding area of a prison for 18 days.
“Perhaps most importantly, the impact of fines issued to the public sector is often visited upon the victims of the breach themselves, in the form of reduced budgets for vital services. In effect, people affected by the breach get punished twice,” Edwards added in his statement.
But in the spirit of sharing best practice, here are five steps the public sector could take to get privacy right going forwards:
1. Invest in training
Creating a privacy-first culture starts with regular staff training. Human error is thought to be responsible for around 82% of all data breaches. If you can help your workforce understand privacy, they will care about it. And if they care about it, they will do their bit to keep personal information safe. In both the TVP and MoJ cases, for example, the ICO noted there was a lack of awareness among staff about how sensitive data should be handled, despite there being relevant processes in place. Put privacy training high on the agenda, and make sure everyone completes it. Regularly.
2. Review policies and processes
It’s suspected that in both the Police Service of Northern Ireland and the Norfolk and Suffolk police force cases, the FOI request was delegated to one member of staff, who published the response without any further checks. FOI requests should not exist in a silo. They often involve sensitive data, meaning that there should be a number of checks done before publication. Other changes to work environments, such as the adoption of new tools, devices and technology, and shift to hybrid work have changed the dynamics of many public bodies. Set clear standards to assess, prepare for, and mitigate risks to privacy, and regularly review the policies and processes in place to ensure they’re still fit for purpose and are being followed. The ICO also has advice on how to disclose information safely.