- Solicitors For Business
- Solicitors For You
- About Us
- News & Events
Information Mismanagement: Can Whitehall Improve Its Grip On Data And Devices?21st February 2020 Media Law
Just last month, the Office for National Statistics (ONS) released figures indicating that some 329,000 mobile phones alone were stolen in the year to March 2019.
The trauma of theft of a device is arguably made worse by anxieties about what might happen to the personal data which those devices might contain, given the popularity for shopping, banking and living online. It is a frightening to think how much personal information is actually contained on a smartphone today which, if it finds its way into the hands of an unknown third party, could have a number of very serious consequences - not least, identity theft.
Think, then, about the potentially greater consequences created by the loss or theft of devices belonging to people working for government departments.
That problem has come to mind following the publication of one media report revealing that 27 government departments between them lost just over 2000 mobile devices, including mobile phones, laptops and portable hard drives, in the 12 months to June last year.
According to the article, which was based on a series of Freedom of Information (FoI) requests, only 249 of the devices were subsequently recovered. Allegedly, some of the devices lost (3%) contained no encryption whatsoever meaning the information contained on the device could be read by anyone who found it.
Although we don't know the exact nature of the information the devices contained, this news is enough to set the nerves jangling, particularly when you consider that the departments which featured in the research included the Ministry of Defence, HMRC, the Home Office and the Department for Education.
It's not the only recent issue of this sort either. Last March, it emerged that the Ministry of Justice logged 2,940 data security incidents during the previous year.
The very same month, the National Audit Office (NAO) provided a rather sobering view at the half-way mark of a five-year National Cyber Security Programme.
Having acknowledged that, as "one of the world’s leading digital economies", the UK was a target for cyber-attacks from foreign governments and criminals, the NAO concluded that it was unclear whether government would meet its objectives to make the country more secure online.
It was a view which followed on from a 2016 savaging, when the NAO highlighted how the Cabinet Office had "little visibility of information risks in departments", with the management of personal data breaches being "chaotic".
The overall picture - then and since - is not one which reflects well on Whitehall's data privacy practices.
Whilst the figures in the latest reports are retrospective, they do relate to the year following the introduction of important data privacy legislation and it would be entirely understandable if they caused some people concern.
It's worth remembering that the scale of losses reported this week, occurred in the 12 months following the introduction of the General Data Protection Regulation (GDPR) and Data Protection Act 2018, which were designed to modernise data protection law and strengthen data privacy rights.
Ministers and their departments have comprehensive obligations to safeguard the data privacy interests of Britons. Although GDPR caused many organisations to ensure that their procedures were more robust, it would appear some were still lacking.
The media reports don't set out whether the government data losses resulted in individuals suffering harm or financial loss, although the many similar cases handled by myself and my colleagues suggest that this is likely to be the case in at least some of the reported data incidents.
Any individual whose personal data has been “lost” on an unencrypted device does have various remedies open to them, including the ability to make a complaint to the Information Commissioner's Office (ICO) - which can take regulatory action against the person or body responsible for the data breach.
An individual can also potentially take legal action through the civil courts to obtain (amongst other remedies) damages in relation to the distress suffered as a result of the breach of their data privacy rights and the loss of their right to control their private information and personal data, and also to recover any financial loss suffered as a result.