UK government staff caught snooping on citizen data

What a surprise: the U.K. government was forced to reveal under Freedom of Information laws more than 1,000 civil servants have 'snooped' on British citizens' private data.
Written by Zack Whittaker, Contributor

Don't worry about hackers illegally accessing government systems. It turns out government workers and civil servants who are trusted with private citizen data are more likely to access your data illegally.


The U.K. government is haemorrhaging data --- private and confidential citizen data --- from medical records to social security details, and even criminal records, according to figures obtained through Freedom of Information requests.

Just shy of 1,000 civil servants working at the Department for Work and Pensions (DWP), were disciplined for accessing personal social security records. The Department for Health (DoH), which operates the U.K.'s National Health Service and more importantly all U.K. medical records, saw more than 150 breaches occur over a 13-month period.

And all this comes to light no more than a fortnight after the Queen formally announced the U.K. government will monitor all Web and email traffic, and log all landline, mobile phone, and Skype calls.

And it's the privacy campaigners who are in the wrong to say that the data won't be illegally accessed or abused?

There is one, simple fact: from health records to criminal records, employment details and other personal data, government databases are not only open to abuse, but are actively being exploited by the very people we supposedly trust with our data.

Crunching the numbers: the DWP has a database of around 100 million people. More than 200,000 civil servants have to be vetted to extremely high standards before they can access this database.

Between April 2010 and March 2011, 513 civil servants were found to have made "unauthorised disclosures of official, sensitive, private and/or personal information”. The year continuing, between April 2011 and January 2012, more than 460 staff were disciplined.

The DoH on the other hand said it did not log each and every breach of unlawful access to U.K. medical records. It did say there were 158 recorded breaches in 2011. Only four years earlier, there were only 28 cases, representing a fivefold increase.

The FOI requests were made by Channel 4's investigative series, Dispatches.

Out of the hundreds of thousands of employees in both departments, the numbers represent only a fraction of the total staff. Having said that, it took only one person --- allegedly --- to leak more than 250,000 U.S. diplomatic cables to Wikileaks, the largest unauthorised release of classified data in the history of the United States.

Currently, under the Data Protection Act, it is a criminal offence to obtain or disclose personal data without permission or procure disclosure to other persons. The penalties for a criminal offence go up to £5,000 ($7,900) in a lower magistrates court, or an unlimited fine in a higher Crown court.

Some British politicians even called for some extreme data breaches to result in prison sentences --- something dismissed by other parliamentary committee members.

Rarely does the fine rise to five-figures, let alone six. Only recently, one Scottish local authority was fined £140,000 ($220,000) for five separate data breaches --- the highest fine imposed by the courts to date.

But as is often the case, the financial benefits from selling personal data are rarely outweighed by the fines or penalties imposed.

Under new legislation presented by Europe, if a data breach occurs, whether by an individual deliberately acting outside the law, or accidentally due to unforeseen events, the person for which that data relates to must be informed.

But those laws are at least two or three years away, and until then, companies and public sector organisations will face meagre fines compared to the €1 million flat-rate or 2 percent of their annual global turnover.

Image credit: ZDNet UK.


Editorial standards