The figures came to light following a Freedom of Information (FOI) request by journalist Suzanne Kelly, which revealed that the council is now suffering over 100 annual breaches. In contrast, the council saw just eight data breach incidents in both 2015-16 and 2016-17, with numbers steadily increasing since.
The Ferret quoted a victim of an Aberdeenshire Council data breach, who had seen their data accessed by council staff, who said: “These figures are really concerning. There needs to be a major overhaul of this council by external bodies, and new councillors need to ask serious questions about what is going on.
“Training has clearly not worked nor is it a deterrent. Those breaking clear IT policies need to be removed from public jobs.”
Email failures blamed for most data breaches
While not commenting on individual data breach incidents, Aberdeenshire Council told The Ferret that most are “minor and accidental” but are all taken “very seriously.” It also said that compulsory data protection training is provided in all its functions. The FOI response from Aberdeenshire Council confirmed that compliance with data protection laws was a condition of employment for all team members.
According to The Ferret, the council’s 2021 Data Protection Report blamed 66% of data breaches in the prior 12 months to “lack of due care when using email accounts.” The same report also disclosed that 2,327 staff members had not completed mandatory data protection training, with 1,936 working in Aberdeenshire Council’s Education and Children’s Services department.
The Ferret quoted a council spokesperson as saying: “Any data breach is taken very seriously, and data protection training is compulsory within all services. While the majority of breaches are minor and accidental, the principles of safe practice remain the same and staff are regularly reminded of the importance of managing data safely and securely.
“The majority of staff within Education and Children’s Services have completed data protection training. Training is only recorded once per person and, due to the relatively high number of people with more than one job within the service, the number of non-completions is artificially high. Nonetheless, we continue to work with teams to ensure that anybody who has not completed training does so as soon as possible.”
An Information Commissioner’s Office (ICO) spokesperson told The Ferret: “Public authorities have access to a great deal of personal data, so they must ensure they too have the appropriate measures and training in place to ensure people’s information is handled responsibly and securely.
“Not all data breaches need to be reported to the ICO…We do however expect public authorities to have robust data breach recording and reporting mechanisms in place as investigations into breaches are important compliance measures and allow public authorities to gauge the severity of a personal data breach and take appropriate action.”
Findings follow recent Aberdeenshire Council incident
The disclosure of this information is the latest embarrassing data protection episode to hit Aberdeenshire Council. In March 2022, the council’s chief education officer was found to have breached FOI rules after emailing a firm to warn it could lose work after one of its employees made an FOI request about him.
Following this incident, a council spokeswoman told the BBC: “We accept the findings of the Scottish Information Commissioner and can confirm that the matter has been dealt with internally with the requested training having been provided.”
Have you been affected by a local authority data breach? You could be entitled to compensation
If you have been the victim of a local authority data breach where your details and sensitive information have been accessed or viewed without your permission, you could be entitled to compensation.
Contact LawPlus Solicitors now for a free, no-obligation review of your potential claim.