Big Brother Watch last year highlighted the serious shortcomings in data protection in local authorities across the country.
However, the wider issue is not only about data storage and loss, but also how datasets are held together and combined for a whole variety of purposes.
In recent weeks two incidents have highlighted how acutely sensitive information is combined and held in a single database, when there is no obvious need to do so, and that database is then lost.
In one incident, Islington Council published personal details of thousands of residents in response to a Freedom of Information request. The Telegraph reported that names, addresses, religion, relationship status and the sexuality of 2,500 residents were published by mistake.
A similar incident was disclosed yesterday by Torbay Care Trust in Devon, which published sensitive personal details of more than 1,000 NHS staff on the internet. The details remained online for 19 weeks until it was spotted by a member of the public. The investigation estimated the spreadsheet was viewed 300 times.
Details of each person’s sexual orientation and religious beliefs were published alongside their name, date of birth, pay scale and National Insurance number. The Information Commissioner fined the trust £175,000 for the incident.
Both these cases highlight the risk of combining data. Why on earth was salary information and sexual orientation included alongside names and addresses? If there is a real need for monitoring salary and religious beliefs (and I struggle to see why there would be) then there is no need to include employee names and addresses alongside that data.
Rather than combining all the data available, only the information that’s absolutely necessary should be used – a basic principle that should underpin the way organisations deal with personal information, but is sadly missing from countless organisations. A substantial cultural shift is required to begin treating data with the care and diligence that is required to restore trust, particularly to the public sector
While fining the organisation does send a message to senior management, it is clear that some frontline staff are not taking these issues seriously and far more needs to be done to hold to account those responsible for errors and improve standards to stop small errors having a significant impact on people’s privacy.