Lichfield District Council – one example of poor data security

A previous meeting at Lichfield District Council told of the reportedly poor attitude toward data protection at the council, which was apparently described by one councillor as “verging on negligent”. We do hope that these issues have now been resolved, as the security issues could put the council in breach of the GDPR.

Every organisation and individual is required by law to handle information with caution and with respect for the right to data privacy, so any failures in this duty could be subject to enforcement and punishment. In addition, many victims affected by data breaches may have a right to claim compensation from those who failed to protect the personal data that they are responsible for. We support victims to assert their rights when it comes to data protection, so contact us for advice if you think your rights have been breached. We may be able to help you on a No Win, No Fee basis.

The risk of data protection negligence at Lichfield District Council

The primary issue highlighted in the meeting was reported to be in relation to unencrypted laptops being used by council members. This was a problem that was brought into discussion as the councillors considered a report on data protection policy at Lichfield District Council.

There was some particularly critical views of the carelessness shown at the time in respect of the use of the laptops in question. Whilst acknowledging the constraints put upon the council by Covid-19, it was reportedly stressed that the problem of unencrypted laptops extended as far back as 2017. The issue appeared to be, therefore, indicative of a long-term failure to implement adequate data security measures.

A spokesperson declared that the unencrypted laptops that had been in use would be replaced in January 2021. Over a year on from that point, we do hope that the matters have now been resolved.

What could the consequences of unencrypted equipment be?

In this particular case, any failure to encrypt work equipment could have endangered the personal information of local residents, in theory. Encryption is a basic data security measure that can help to create a barrier against cyberattacks. As such, if it is absent, there may be fewer defences protecting private information.

If Lichfield District Council’s resident data were to fall into the wrong hands, it could be misused for identity theft, or to execute fraud. Some of the information that the council holds could be particularly valuable to fraudsters, as it may include identity documents, National Insurance numbers and bank account details.

It is understood that Lichfield District Council stated that such data theft could not have occurred as no residents’ data had been stored on the laptops in question. However, any defence is only as good as its weakest link, so any weaknesses could be an avenue for criminals to exploit. In fact, as it was also reported that the use of “untrusted removable storage devices” (e.g. memory sticks) was not properly regulated at the council, there may have been little guarantee that information had not been transferred onto these devices.

Data breaches at councils

The Lichfield District issues were, unfortunately, not representative of a lone example of poor data security. Many other councils have failed to implement sufficient data protection measures and they have suffered harmful breaches as a result.

The sheer disregard and unwillingness to correct data protection problems in some cases is not without consequence, and those who fall victim to a council data breach due to negligence may be eligible to claim compensation. If you have been affected by a breach, please do not hesitate to contacts us, as we can offer advice on your potential claim. We may be able to offer No Win, No Fee legal representation.