Two local authorities have leaked data of children online in recent days. Training is the only way to combat such breaches.
Two local councils are under fire after personal information of dozens of children was leaked online. The data breaches could leave the councils facing sanctions, and public sector tech leaders should ensure rigorous training programmes are in place for staff if they want to avoid a similar fate.
Today it was revealed five children in Cornwall had their information posted online by Cornwall Council. In publishing online documents for a meeting of its School Transport Appeals Committee, the council accidentally posted the children’s names, addresses and dates of birth. The council has referred the matter to the Information Commissioner’s office, according to the BBC.
Earlier this week a similar incident came to light involving Central Bedfordshire Council, which was sent a Freedom of Information Request about children in its jurisdiction with Special Educational Needs and Disabilities who have not yet been found a school place. As part of its response to the request, the council published the names and personal information of the children.
The leaks “represent a clear failure to train all staff in their duties under general data protection regulations (UK-GDPR),” Higgins adds. “Everyone responsible for using personal data in the UK must be aware of and follow the ‘data protection principles’,” he says. “There are six of them, and the last one clearly states that information must be, ‘handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.”
These issues are a direct result of poor training, says Javvad Malik, lead security awareness advocate at KnowBe4. “In many cases, these types of breaches come down to lack of security training or awareness,” he says. “While everyone makes errors, having the right cybersecurity controls and appropriate training in place can greatly reduce the risk.”