How Does the UK Government Protect Voters’ Data?
As the 4th July General Election approaches, Hayes Connor takes a deep dive into recent statistics released by the Information Commissioner’s Office (ICO) to examine how local and central governments manage and protect voter data.
In today’s digital age, personal data is a valuable asset, and its mishandling can lead to significant consequences. Voters in the UK trust government bodies with their personal information when they register to vote, and it’s imperative that these institutions adhere to stringent data protection laws set out by the General Data Protection Regulation (GDPR), and monitored by the Information Commissioner’s Office (ICO).
The ICO regularly publishes data security reports, offering insights into data breaches and security trends within public sectors. These reports highlight the importance of robust data protection practices and help institutions understand their responsibilities and improve their security measures.
2023 witnessed several significant data breaches affecting thousands of individuals in the UK. But how do these incidents align with the ICO's findings on governmental data handling?
Hayes Connor explores these statistics to identify emerging patterns and provide clarity on how data is safeguarded by our governmental bodies, both on a local and central scale. This article will also offer practical advice for voters on maintaining their data security and outline steps to take if a data breach occurs.
History of electoral related data breaches
Previous data breaches involving local governments and voter data have raised serious concerns about cybersecurity within these institutions. One of the most notable incidents occurred in August 2021, when the UK Electoral Commission suffered a breach that resulted in the theft of voter data of up to 40 million individuals.
This attack, attributed to the Chinese hacker group APT31, exposed information such as names and addresses from the electoral registers. Although this breach did not affect the election processes or voter registration statuses, it highlighted the vulnerabilities in current cybersecurity measures.
Another growing concern is the broader vulnerability of local government systems to poor data-handling practices. Reports indicate that the handling of personal data by local authorities is increasingly seen as a potential scandal waiting to happen due to inadequate security measures.
In fact, countless local councils and authorities have already breached the data of individuals through these inadequate measures, including Essex, Doncaster, Southend-on-Sea and Powys County Councils, to name a few. These incidents underscore the need to strengthen cybersecurity protocols to protect sensitive information and maintain public trust in electoral processes.
Local & Central Government ICO data breach stats 2019-2023
The ICO publishes an ongoing data security report presenting key insights into data security incident trends since the introduction of the GDPR. The findings in this report can support organisations with data protection and handling, so that they are aware of what to look for and can take the correct action where necessary.
Analysing this data, researchers at Hayes Connor have pulled out the information regarding Central and Local Governments, showing the average data breach figures from 2019-2023.
Over the last five years, Local Governments came 4th place for the most data breaches out of all industries, with almost 1 in 10 data breaches occurring within this sector. Central Government fairs better, with just 3% of data breaches occurring in this sector; still not ideal considering the sensitive nature of the data they carry.
Taking a further deep dive into the data for these sectors, we can see the type of data exposed during a data breach, the age groups and demographics of those affected, the action that has been taken, the incident type, as well as the time taken to report a breach.
Type of data exposed in central and local government data breaches
The ICO data reveals that both Central and Local Government sectors experienced significant exposure of basic personal identifiers in breaches, as shown below:
| Central Government | Local Government | |
|---|---|---|
| Basic personal identifiers | 84.82% | 82.34% |
| Criminal convictions or offences | 11.01% | 10.94% |
| Data revealing racial or ethnic origin | 7.74% | 9.14% |
| Economic and financial data | 9.32% | 11.16% |
| Gender Reassignment Data | 0.60% | 0.69% |
| Genetic or biometric data | 1.69% | 0.72% |
| Health data | 19.30% | 31.71% |
| Identification data | 4.66% | 4.30% |
| Location data | 12.58% | 12.39% |
| Official documents | 22.02% | 3.77% |
| Political opinions | 1.09% | 0.49% |
| Religious or philosophical beliefs | 2.06% | 3.70% |
| Sex life data | 1.88% | 3.43% |
| Sexual orientation data | 1.39% | 2.89% |
| Trade union membership | 0.60% | 1.01% |
| Unknown | 8.35% | 12.51% |
Local Government had higher exposure rates of health, economic, location, and several personal data categories, while Central Government saw more breaches involving official documents and health data, reflecting their different data handling responsibilities.
Exposure of basic personal identifiers, such as names, addresses, dates of birth, and contact information, is problematic because it can lead to identity theft and fraud. Cybercriminals can use this information to impersonate individuals, access financial accounts, open credit lines, and commit various forms of fraud.
Such exposure can result in privacy violations, loss of trust in institutions, and significant emotional and financial harm to the affected individuals.
Victim age groups and demographics of local and central government data breaches
This data provides insight into which age groups and demographics were affected by data breaches within Local Government and Central Government from 2019-2023:
| Central Government | Local Government | |
|---|---|---|
| Children | 11.31% | 31.22% |
| Customers or prospective customers | 43.92% | 23.76% |
| Employees | 16.76% | 16.81% |
| Patients | 0.91% | 1.43% |
| Students | 1.09% | 2.58% |
| Subscribers | 0.42% | 1.57% |
| Unknown | 28.86% | 24.54% |
| Users | 7.26% | 19.57% |
| Vulnerable adults | 5.81% | 18.13% |
Local Government data breaches impacted children, users, and vulnerable adults most, highlighting their responsibilities in education, public service, and social care.
Central Government saw more breaches affecting customers, prospective customers, and employees, reflecting its broader national interactions and administrative responsibilities. The higher percentage of unknowns in Central Government suggests a need for improved identification processes in breach incidents.
The ‘Users’ category, though broad, could best describe and include the data of people who have registered to vote. Therefore, on average, almost 1 in 5 data breaches for Local Government could have included voters’ data.
Action taken for data breaches that occurred in the local or central government sectors
| Central Government | Local Government | |
|---|---|---|
| Informal Action Taken | 25.05% | 49.13% |
| Investigation Pursued | 23.41% | 7.40% |
| No Further Action | 51.78% | 44.17% |
| Not Yet Assigned | 1.03% | 1.95% |
While both Local and Central Governments primarily had informal or no action taken against them in response to data breaches, the ICO have been more likely to pursue formal investigations within Central Government.
Both sectors also had a notable percentage of cases where no further action was deemed necessary, meaning that the ICO has determined that no additional steps are required from their end regarding the incident. This could suggest a large portion of data breaches were either low risk cases, or compliance with data laws was evident.
Incident type for data breaches in the local and central government sectors
The ICO data provides analysis of various types of data breach incidents reported by Central Government and Local Government entities. The details of the incident type for data breaches between 2019 and 2023 were as follows:
| Central Government | Local Government | |
|---|---|---|
| Alteration of personal data | 0.48% | 0.11% |
| Brute Force | 0.06% | 0.09% |
| Cryptographic flaw | 0.00% | 0.02% |
| Data emailed to incorrect recipient | 8.95% | 16.54% |
| Data of wrong data subject shown in client portal | 0.79% | 0.76% |
| Data posted or faxed to incorrect recipient | 33.58% | 16.52% |
| Denial of service | 0.00% | 0.02% |
| Failure to redact | 9.86% | 14.07% |
| Failure to use bcc | 2.12% | 3.63% |
| Hardware/software misconfiguration | 1.75% | 1.26% |
| Incorrect disposal of hardware | 0.00% | 0.04% |
| Incorrect disposal of paperwork | 0.36% | 0.38% |
| Loss/theft of device containing personal data | 2.06% | 1.68% |
| Loss/theft of paperwork or data left in insecure location | 6.47% | 5.92% |
| Malware | 0.42% | 0.38% |
| Not Provided | 4.96% | 3.00% |
| Other cyber incident | 1.09% | 0.76% |
| Other non-cyber incident | 19.00% | 20.01% |
| Phishing | 1.39% | 1.86% |
| Ransomware | 1.21% | 3.99% |
| Unauthorised access | 4.96% | 7.17% |
| Verbal disclosure of personal data | 1.69% | 4.39% |
Local Governments reported higher rates of unauthorised access and data being emailed/faxed to the wrong recipients, while Central Government saw more frequent cases of failure to redact and data being faxed to the wrong recipients.
Ultimately, though, what we’re seeing is that the majority of cases (over 90%) are non-cyber incidents, showing significant vulnerabilities in terms of on-site GDPR practices, suggesting targeted areas for improvement in data security practices.
Time taken to report data breaches in the local and central government sectors
This ICO data provides an analysis of the time it took for Central Government and Local Government entities to report data breaches in between 2019-2023. The data is broken down into several time categories, with average percentages from the past five years, indicating the proportion of breaches reported within each timeframe:
| Central Government | Local Government | |
|---|---|---|
| 24 hours to 72 hours | 39.32% | 34.20% |
| 72 hours to 1 week | 21.78% | 23.94% |
| Less than 24 hours | 17.48% | 19.25% |
| More than 1 week | 22.20% | 24.70% |
The time taken to report a data breach is crucial because it impacts the ability to mitigate harm. Prompt reporting allows for quicker containment of the breach, minimising potential data loss, reducing the risk of further unauthorised access, and enabling faster notification to affected individuals so they can take protective actions.
Over 1 in 3 data breaches in the government sector were reported within 24 to 72 hours after the breach occurred. Central Government entities were more prompt in reporting within this timeframe compared to Local Government entities.
That being said, there are still significant delays, with almost 1 in 2 government breaches being reported outside the 72-hour window proposed by the ICO. In fact, 43% of Central Government breaches and 47% Local Government data breaches were reported after 72 hours, putting the government at risk of huge fines.
How voters’ data is stored by the UK government
In the UK, voters' data is primarily stored and managed through the electoral register. This register is a comprehensive list of individuals who are eligible to vote in elections and referendums. The process and storage of this data involves several key steps and entities:
1. Electoral Registration
- Local Electoral Registers: Each local authority in the UK maintains its own electoral register. These registers include the names and addresses of eligible voters within the local authority's jurisdiction.
- Annual Canvass: Local authorities conduct an annual canvas to update the electoral register. Households receive a form to confirm or update the details of residents eligible to vote.
2. Data Storage and Security
- Electronic Databases: Electoral registers are stored in secure electronic databases managed by local electoral registration officers. These databases are subject to data protection regulations to ensure the security and privacy of personal information.
- Paper Copies: In addition to electronic records, paper copies of the electoral register are also maintained. These are usually kept securely in local council offices.
3. Access and Usage
- Public and Full Registers: There are two versions of the electoral register:
- Full Register: Contains the names and addresses of all registered voters and is used for electoral purposes, law enforcement, and credit checking.
- Edited Register: Excludes individuals who have opted out of being listed for commercial use. This version can be bought by businesses for marketing purposes.
- Restricted Access: Access to the full register is restricted and controlled. It can be inspected under supervision at local council offices but cannot be copied or used for non-electoral purposes without permission.
4. Data Protection and Privacy
- General Data Protection Regulation (GDPR): The handling of voters' data in the UK must comply with GDPR, ensuring individuals' rights to privacy and data protection.
- Electoral Commission Guidelines: The Electoral Commission provides guidelines on the appropriate handling and storage of electoral data to maintain integrity and confidentiality.
5. Voter Identification and Verification
- National Insurance Numbers: Individuals registering to vote must provide their National Insurance number for identity verification.
- Verification Framework: Local authorities use various methods to verify the identity of voters, including checking against other governmental records.
What can voters do to ensure data is kept safe?
Once a person has submitted their details online to register to vote, there isn’t anything a person can do to protect their data. However, leading up to this point, there are a couple of things to keep in mind, such as:
Use Secure Platforms
Always use official and secure websites for voter registration. The UK government provides an official voter registration service that employs secure protocols to protect user data.
Stay Informed
Keep up to date with news and announcements from the Electoral Commission and local councils regarding any potential data breaches or updates on data protection measures.
Report Suspicious Activity
If you receive any suspicious emails or communications claiming to be from the Electoral Commission or local authorities, report them immediately. Phishing attempts can be reported to the National Cyber Security Centre (NCSC).
Data Minimisation
Provide only the necessary information required for voter registration. Avoid sharing additional personal details that are not specifically requested.
Monitor Accounts
Regularly monitor your personal accounts and be vigilant for any signs of unauthorised activity. This includes checking for unusual transactions or changes to your registered information.
Verify Sources
Ensure that any information or advice regarding voter registration comes from credible and official sources such as GOV.UK or the Electoral Commission.
Security Measures by Authorities
Understand that the Electoral Commission and local authorities are mandated to follow strict data protection regulations. They are required to regularly review and update their cybersecurity measures, including using advanced encryption, implementing intrusion detection systems, and conducting regular security audits.
Changes to the voting system to be aware of in 2024
On July 4th, there will be a General Election where voters are expected to provide photo ID when voting. The introduction of voter ID requirements in the UK has sparked considerable debate, with concerns that it could potentially disenfranchise certain groups of voters.
Critics argue that the policy, which requires voters to show a form of photo identification at polling stations, may disproportionately impact marginalised groups, such as young people, ethnic minorities, the elderly, and trans individuals. These groups are statistically less likely to possess the necessary forms of ID.
Evidence shows that the UK has a very low incidence of in-person voter fraud, with only a handful of cases reported over the past decade. Despite this, the government justifies the new measures as necessary to safeguard the integrity of elections.
The controversy has prompted calls for reforms to make the voter ID requirements more inclusive. Suggestions include broadening the range of acceptable IDs and implementing provisional voting for those who do not have ID on election day.
While the risk to your data at polling stations is generally low due to the stringent measures in place, no system is completely immune to potential threats.
Whilst staff at polling stations are trained in data protection practices to prevent unauthorised access and ensure the confidentiality of voter information, those attending should remain vigilant whilst within the polling stations and handling their own forms of ID.
What to do if you experience a data breach?
If voters experience a data breach, there are several steps they should take to protect themselves and mitigate the potential impact:
- Change Passwords: Immediately change passwords for any accounts that may have been compromised. Use strong, unique passwords and consider using a password manager to help manage them.
- Monitor Accounts: Keep a close eye on bank accounts, credit cards, and other financial accounts for any unusual activity. Set up alerts if your bank or financial institution offers them.
- Report the Breach: Inform the relevant authorities about the breach. In the UK, this could include the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC).
- Check Credit Reports: Regularly check your credit reports for any signs of fraudulent activity. In the UK, you can get free copies of your credit report from agencies like Experian, Equifax, and TransUnion.
- Consider a Credit Freeze: If you believe your financial information has been compromised, consider placing a credit freeze on your accounts. This prevents new credit accounts from being opened in your name.
- Be Wary of Phishing Attempts: After a data breach, there's often an increase in phishing attempts. Be cautious of unsolicited emails, phone calls, or texts asking for personal information.
- Contact Organisations Directly: If you receive suspicious communications purporting to be from banks or other institutions, contact them directly using verified contact details.
- Use Identity Theft Protection Services: Consider enrolling in identity theft protection services, which can monitor your personal information and alert you to potential fraud.
How can Hayes Connor help?
If your personal data has been compromised as a result of security failings by an organisation, you may be entitled to claim compensation.
At Hayes Connor Solicitors, we have significant expertise supporting clients who’ve had their data exposed due to data protection negligence. We can support to claim for privacy loss, distress, and financial losses.
To discuss your claim today, get in touch with our data protection solicitors at Hayes Connor. You can call us on 0151 363 5895 or fill in our data breach claim form and we will get back to you.