Official figures from the Information Commissioner's Office suggest that there was an 8000% increase in the number of people affected by financial data breaches in central government between 2019 and 2023.
There are estimated to be around 67.5 million people in the United Kingdom. Each of those is a data subject under our data protection laws. Yet in 2023 - alone – according to the Information Commissioner's Office's statistics, there were approximately 195 million data subjects whose rights and freedoms were put at a likely risk by breaches of data security in central government, in relation to “economic or financial data”. This means that, in a single calendar year, every single person in the country's rights and freedoms were put at likely risk almost three times, on average, by a Government breach of data security.
It is possible that some of the 195 million were outside the UK, or that some people were less affected (or not affected at all), and some were more affected. It's also important to note this finding only relates to "economic and financial data", so full figures for all personal data will be much higher.
A crisis in data security in central government?
The figures derive from reports of 'personal data breaches'(PDBs) made under Article 33 of the UK GDPR to the Information Commissioner’s Office (ICO). A PDB is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
There was for a while a problem with 'over-reporting' of PDBs, but the ICO has been very vocal in discouraging such over-reporting in recent years, so - all things being equal - one might actually have expected a drop in figures. It should also be noted that when a data controller makes a report under Article 33, estimates of people affected are rarely going to be 100% accurate.
Not every PDB indicates a serious failure warranting enforcement action, and some will end up being 'near misses'. However, what the figures do unequivocally show is a massive increase in the numbers potentially affected between 2019 and 2023 (from 2.4 million in 2019) with a notable upswing between 2022 and 2023 (from 70 million to 195 million).
There have certainly been several damaging data security breaches in recent months. Examples such as the compromise of the England and Wales electoral register as well as ransomware incidents involving the British Library and a number of other UK public authorities may have upped the figures, but not all of those will have involved economic and financial data, and it is not immediately obvious how they could be categorised as 'central government'.
The ICO's response
The Information Commissioner John Edwards was only recently reported as saying that his policy of not fining the public sector but instead issuing non-binding reprimands was “very effective, especially in the public sector where reputation is worth more than the purse”. The evidence in fact points rather starkly the opposite way. Since his softer-touch approach for public authorities was adopted, it appears that data security failings at least in central government have skyrocketed.
It is important to note that the softer-touch was introduced as a “trial”, and Mr Edwards did say “if I do not see the improvements that I hope to see, I will look again”. However, the trial is soon to end (assuming it is still a two year trial, as announced in June 2022) and data security failings in central government appear to be on the rise. It is true that the numbers of PDBs and people affected does not necessarily indicate a failure of the trial, but - as yet - there appears to be very little indication of what evidence or metrics will be used to gauge success or failure.
The ICO was asked to comment but did not state whether the increase in central government data breaches required action. It responded: "We are continuously engaging and working with government departments to remind them of their legal obligations, and offer guidance and advice with the aim of improving practices. Over the past two years, we’ve also taken formal action against a number of central government departments, using the full range of our regulatory powers to uphold people’s information rights…We can confirm there will be a review [of the revised approach to public sector enforcement, after the two year trial]".
The issue of transparency
These figures are buried away in a freedom of information disclosure by the ICO: they were not proactively published, and there appears to be no explanation for the enormity of the issue, and nor does there seem to be any transparency within central government about how such security issues are happening and what is being done about them.
Regardless, the evidence points to a pressing need for government to get its house in order, and for the ICO to take a fresh look at whether there is a need for more robust enforcement in the public sector.