Majority of UK councils don’t know how much sensitive data they hold

Responses to Freedom of Information requests paint a worrying picture of data security within UK councils, with most lacking understanding or visibility over the data they hold.

Share

The majority of councils in the UK don’t know how much sensitive data they hold, according to responses to Freedom of Information requests.

Many local authorities lack awareness of or visibility over the data they are responsible for, with 66 percent unable to say how much of the data they store is sensitive or how it should be managed to meet new CESG security classification guidelines.

Some 302 out of 433 local authorities replied to Freedom of Information requests by technology infrastructure provider Six Degrees Group.

Councils are also unsure where their data is stored, with 61 percent unable to say if theirs is held internally or externally. Just two percent said at least half their ‘official’ data was held in the cloud while 37 percent stored most of their data on site.

Local authorities reported vastly different numbers of data breaches over the last two years. Just over half said they had experienced breaches, with one saying they had suffered 213 incidents.

However over a third of authorities (34 percent) claimed to have suffered no data breaches at all over that period. 45 percent said they had no record of whether a security audit had been conducted in the last two years.

New rules for security categories came in just over a year ago, with three tiers (Official, Secret and Top Secret) replacing the seven ‘business impact levels’ previously used to classify data.

The new classifications were supposed to clarify security rules but seem to have caused confusion among local authorities, with many seeming to be unsure how to categorise their data.

When the new tiers were introduced a CESG spokesperson explained the official level is “equivalent to good commercial practice”' and appropriate for the majority of government activity.

These statistics show UK councils lack comprehensive knowledge of security measures and are unaware of the options available to improve protection of their ‘official’ data, Six Degrees Group said.

“This insight reveals a huge gap in approach within LAs across the UK, with a worrying majority lagging in their understanding of the actual position they are in regarding data security, let alone bringing protection up to standard,” Six Degrees Group’s strategy director Campbell Williams said.

He warned that most local authorities are “struggling” with breaches “commonplace” within the sector.

“What is equally as worrying is the serious lack of insight they have into their own situation.  These authorities need to act very quickly or more sensitive public data will be lost to potentially criminal sources,” Williams added.