Scottish Government and agencies breached data protection rules almost 2,000 times

The Scottish Government and its agencies have breached data protection rules almost 2,000 times since the introduction of GDPR in 2018, it can be revealed.

The figures were described as “concerning” by the Scottish Conservatives due to the amount of sensitive data held by the agencies.

The Scottish Prison Service was the worst offender and is responsible for more than 1,100 data protection breaches over the period, with more than 350 a year since the introduction of the new laws in 2018.

Hide Ad
Hide Ad
Read More
Matt Hancock: SNP demand investigation into appointment of adviser Gina Coladang...
Scottish Conservative MSP Stephen Kerr.Scottish Conservative MSP Stephen Kerr.
Scottish Conservative MSP Stephen Kerr.

The Scottish Government itself was the second worst offender and was the only part of the government to fail to report a serious data breach to the Information Commissioner’s Office (ICO) within the 72 hours required by law.

Disclosure Scotland, which is responsible for providing criminal record checks to employers and voluntary organisations, reported more than 200 data breaches.

Scottish Conservative chief whip Stephen Kerr said the number revealed “worrying weaknesses” in the Scottish Government’s security systems.

He said: “Given that Scottish Government agencies store vast amounts of sensitive data, many people will be alarmed by these figures. The number of breaches occurring is concerning and reveal some worrying weaknesses in the SNP Government’s security network.

“Ministers must not take their eye off the ball when it comes to security-related issues. Urgent reassurances must be given that robust measures are in place to ensure the number of breaches is significantly reduced going forward and that all breaches are reported as quickly as possible.”

Not all data breaches have to be reported to the ICO, with the seriousness of the breach determining whether a report should be made.

Of all 1,993, just 31 were considered serious enough to report to the Information Commissioner, with one of those not being disclosed to the ICO within the 72 hour statutory timescale for such reports.

The vast majority of the breaches – 713 in total – were confidentiality breaches, where there is an unauthorised or accidental disclosure of or access to personal data.

Hide Ad
Hide Ad

The ICO also confirmed it has taken no action around data breaches against the Scottish Government since 2018.

A spokesperson said: “People have the right to expect that organisations will handle their personal information securely.

"Public authorities have access to a great deal of personal data, so they must ensure they have the appropriate measures and training in place to ensure people's information is handled responsibly.”

A Scottish Government spokesperson said: “We take information security very seriously and all staff are required to follow the data protection principles, follow an IT Code of Conduct and undertake annual mandatory data protection training.

“Under the UK GDPR, any serious breaches of personal information are notified to the Information Commissioner. We take any incidents very seriously and log and thoroughly investigate each to ensure lessons are learned and appropriate actions are taken.”

The Scottish Prison Service was also contacted for comment.

A total of £147.2 million in GDPR fines were issued against European countries last year, with the UK ranking second on the list with £37.7m in fines – from only three violations.

Personal data will continue to be able to be transmitted freely across the channel under post Brexit arrangements, with the European Union having deemed the level of protection provided by UK law as adequate.

A message from the Editor:

Thank you for reading this article. We're more reliant on your support than ever as the shift in consumer habits brought about by coronavirus impacts our advertisers.

If you haven't already, please consider supporting our trusted, fact-checked journalism by taking out a digital subscription.



Want to join the conversation? Please or to comment on this article.