Councils in the West Midlands have lost or disclosed the public’s sensitive data over 450 times since 2011.
Despite this catalogue of blunders only six employees have actually been fired by the councils while in 92 per cent of cases no disciplinary action was taken at all.
Across the West Midlands, there have been 453 data breaches – such as emails and letters being sent to the wrong people and the loss of key documents – since April 2011, according to figures obtained under the Freedom of information act by Big Brother Watch.
Sandwell Council was the biggest offender – and the second worst authority in the UK when it came to the number of times it has blundered with the public’s personal information – with 187 breaches in total.
Wolverhampton was also in the top ten worst offenders with 100 cases of data being mishandled while Coventry was close behind with 90 cases.
Birmingham performed comparatively well, with just seven leaks across the period – despite being by far the largest authority.
A Big Brother Watch spokesperson said there should be custodial sentences for serious data breaches.
He added: “As it stands, data protection training is not compulsory for those handling personal information. This needs to be rectified.
“Both the public and the staff working in local authorities need to be able to trust that when a breach occurs it will be treated with the same approach across all organisations. This should include a duty to inform people when their personal information may have been involved in a breach.”
Across the whole of the UK, there were 4,236 data breaches between April 2011 and April 2014.
This included the theft of 68 laptops, 14 USB sticks and seven PCs as well as workers misplacing 31 BlackBerry devices, 19 USBs and 12 mobile phones.
Of the 4,236 breaches, 658 directly involved the loss of children’s data.
Big Brother Watch has called for a series of harsh punishments for serious data breaches – including jail terms, criminal records and mandatory reporting of breaches.
Data protection training should be mandatory for members of staff with access to
personal information, the group adds.
Sandwell Council chief executive Jan Britton said it has a robust approach to any potential data breaches.
She said: “While we may appear second in this list, this may well be because we take the issue so seriously and because staff tell us about incidents.
“The vast majority of all reported incidents invariably turn out to be either internal mis-directed emails or mis-addressed letters. These account for 130 of these incidents.
“In all cases, the council’s first response will always be to either get the information back or to confirm it has been destroyed so it doesn’t get passed on. Where the situation does contain sensitive personal data we always communicate these incidents to the Information Commissioner's Office.
“One of the reasons for Sandwell having such a high figure of incidents follows on from a successful internal campaign to highlight what constitutes data incidents.”
In 68 per cent of cases across the UK, no disciplinary action was taken against the employees involved in the blunders while just 50 were fired.
Only one court case relating to data protection has taken place. An employee of Southampton Council was successfully prosecuted by the ICO for having “transferred highly sensitive data to his personal email account”.
A Big Brother Watch spokesperson added: “A breach of trust highlights a number of major issues which need to be resolved. Until proper punishments for the misuse of personal information is implemented, the problem has the potential to grow, particularly as the gathering of data increases year on year with new technologies and a move to paperless systems.”
DATA BREACH FIGURES FOR COUNCILS
Council // Breaches
Sandwell // 187
Wolverhampton // 100
Coventry // 90
Walsall // 34
Solihull // 29
Birmingham // 7
Dudley // 6