Sixty per cent of local authorities don't know how much sensitive data they have or where it is kept

Six Degrees Group received 302 responses to FOI requests, and finds 'worrying lack of insight' from local authorities

A staggering 60 per cent of local authorities don't know how much sensitive data they hold, or where it is kept, according to research conducted by managed data and voice service provider Six Degrees Group (6DG).

The company received responses from 302 UK local authorities to its Freedom of Information requests. It found that two thirds of local authorities were unable to report on how much of the data they stored was sensitive and, how this data should be managed in relation to the new CESG ‘official' security clarification guidelines.

The new security classifications, which also included ‘secret' and ‘top secret' levels, were introduced by the government in 2014 to replace the impact level (IL) ratings but have seemingly caused confusion to many of the local authorities.

In fact, 61 per cent of respondents said that they were unable to say whether their ‘official' data was held internally or externally, and only two per cent reported that at least half of their ‘official' data was held in the cloud, with more than a third (37 per cent) storing the majority of their data on-premise.

A 6DG spokesperson told Computing that the high proportion of councils not knowing where their 'official' data was, was down to a lack of resources or expertise that central government have.

Meanwhile, more than half of the local authorities reported breaches of ‘official' data in the last two years, with one authority suffering 213 data breaches in that period. Just over a third (34 per cent) said that they had suffered no data breaches over the two year period. Nearly half of the respondents (45 per cent) revealed that they had no record of whether a security audit had taken place within the authority in the last two years.

According to a 6DG spokesperson, the data breaches in question may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property, for instance.

"This insight reveals a huge gap in approach within local authorities across the UK, with a worrying majority lagging in their understanding of the actual position they are in regarding data security, let alone bringing protection up to standard," said Campbell Williams, group strategy and marketing director at 6DG.

"We see less than half of them classify their data to an officially recognised standard and have regular audits in place to protect their data; this small percentage appears to be in a reasonable position as they aren't suffering breaches. The rest are struggling - breaches are commonplace - and what is equally as worrying is the serious lack of insight they have into their own situation. These authorities need to act very quickly or more sensitive public data will be lost to potentially criminal sources," he added.

A 6DG spokesperson said that CESG is the definitive voice on the technical aspects of information security in government, suggesting that it is the go-to organisation for councils who need advice on how to improve their security practices.