Birth certificate blunder and library leak among 170 data breaches reported at Sunderland City Council

A total of seven data breach cases were also referred to the Information Commissioner’s Office (ICO) – which deals with more serious incidents.

Of this number, the council self-referred four cases while others were reported by members of the public.

They included a recent cyber attack on the council’s library database earlier this year where details from 45 customers were accessed.

Other incidents included a birth certificate being sent to a third party and the publication of a private telephone number in a contacts list.

In May 2018, General Data Protection Regulations (GDPR) were introduced setting out laws for organisations around protecting personal data.

To comply with the new rules, a local Data Protection Office was set up to provide support to Sunderland City Council and its companies.

This includes Sunderland Care and Support, Sunderland Homes Ltd and children’s services agency Together for Children.

Between June 1, 2018 and May 31 this year, 170 recorded cases were linked to some “failing in data protection compliance”.

Data protection officer, Rhiannon Hood, has said many of the breaches were linked to minor incidents or increased reporting.

“We need to emphasise that this authority took quite a draconian approach to this, we require reporting of very low-level incidents,” she told the council’s Audit and Governance Committee.

“We have got figures here that might look high but actually some of those figures will relate to a sheet of paper with a name on left on a photocopier.

“We thought to get a grip on this and encourage reporting, if we know about everything we can handle everything and stop it becoming a bigger issue.”

The council currently uses a traffic light-style scoring system to judge the severity of data breaches.

Out of 170 data breach cases, 62% (105) were rated as the lowest level ‘green’ category – with little to no impact.

A further 29% (50) were rated as ‘amber’ while 2% (4) were rated as the most serious ‘red’ category – incidents where there is a potential to have an impact on an individual.

A further 6% (11) were classed as compliance issues or non-breaches.

Data protection officer, Rhiannon Hood, added: “There is definitely a trend in cases of services that intervene in people’s lives that the people receiving the services don’t necessarily welcome them and will challenge our use of their information with the commissioner.

“In particular, Together for Children have had a number of reports to the ICO where the ICO has found that information has been used appropriately.”

According to a report presented to the committee, data breach reporting arrangements have been“reviewed and simplified” following learning and feedback.

A focused project, led by the data office, was also launched to tackle errors that resulted in misdirection of post and related incidents.

Recommendations included extra training, early investigations, “prompt responses” to incidents and improved record-keeping.