Teal blue graphic

ICO releases latest data security incidents trends report

The ICO has released its latest data security incidents trends report for the period April to June 2016.

The report identified that:

  • Four monetary penalties were issued ranging from £80,000 to £185,000;
  • Two undertakings were issued to public bodies;
  • Seven undertakings were followed up to ensure actions were addressed; and
  • The ICO received 545 new cases, a 22% increase from the previous quarter (448).

Key data security issues by sector

The health sector continues to account for the most data security incidents. The local government was the second most prevalent sector. The education sector was the only sector to see a reduction in the number of data security incidents amongst an average increase of 35% across all other sectors included in the report (health, local government, general business, finance insurance and credit, and charitable/voluntary).

The main data security issue for all sectors was data being posted, faxed or emailed to the wrong recipient. 

'Cyber incidents' were the second main issue for the education, general business and finance insurance and credit sectors.

For the health, education and charitable/voluntary sectors, 'loss or theft of paperwork [or] unencrypted data' was a major security issue.

The local government sector was the only sector reported to have 'failure to redact data' as a main issue.

A focus on cyber incidents

The ICO has recently changed the way in which it categorises cyber incidents in order to provide a more detailed and useful summary of the issues. The report includes a particular focus on a number of cyber incidents by type and makes reference to the recently published annual report by the UK National Computer Emergency Response Team (CERT-UK).

There were 50 cyber incidents in the period of the report, the most common incident type involving 'cyber security misconfiguration'. The ICO clarifies this incident as occurring when people who do not have authorisation to access particular personal information are able to view it and/or extract it due to incorrect/inadequate security settings.

The report highlights distributed denial of service (DDoS) attacks as being a particular and growing problem for the financial sector over the coming year. In May this year, the CityUK published its report on how to make the UK financial and professional services sector more resilient to cyberattack.

The ICO comments in its report that it aims to increase understanding of the causes of DPA breaches that relate to technology. This in turn should assist in ensuring that accurate and useful data is collected regarding cyber incidents, which are likely to only ever become increasingly complex, varied and/or sophisticated.

Points to consider

Complacency breeds failure. Regular internal training on behaviour in the workplace should increase awareness of the importance of data security and compliance and should include the aim of developing a habit of data security considerations within individuals. Similar to the green cross code of 'stop, look, listen' taught to children, the ICO suggests the concept of 'Think, Check, Share' for employees sending emails as part of their daily work – which they likely do far more often than crossing a road. 

Consider using this concept as a promoted habit among employees before sending or disposing of personal information.  This especially includes being alert to the auto-fill option of addresses on emails. 

More generally, the increasing need for businesses and organisations to regularly use technology which handles personal information by extension increases the chances of internal or external cyber incidents. As part of any implementation process, considerations should include:

  • which parties will handle or gather personal information;
  • the types and severity of breach which may occur;
  • which parties would be liable for any of those breaches and to what extent;
  • how any risk of breach can be minimised and by whom; and
  • whether and to what extent liability should be capped.
  • The outcome may accordingly point to a review of internal policies or standard contract terms.

It is anticipated that future reports by the ICO on data security incidents trends will reflect interesting developments, in light of the impending implementation of the European General Data Protection Regulation and the increasingly creative application of technology within a variety of sectors, both public and private.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all