Growing numbers of UK whistleblowers are submitting confidential reports about data breaches at their businesses to the official watchdog, according to new figures that highlight increasing public concern about privacy and cyber security.
Eighty-two people sent in reports to the Information Commissioner’s Office (ICO) about potentially undisclosed breaches in the three months to the end of August, compared with 31 reports in the three months to the end of April, according to figures compiled by law firm RPC after a freedom of information request.
The almost-tripling in such reports coincides with the introduction of tough new data protection rules in May and heightened security awareness following a series of scandals this year.
Businesses scrambled to improve practices ahead of the introduction of the General Data Protection Regulation, which could see companies fined up to 4 per cent of annual turnover or €20m for failing to report breaches within 72 hours.
However, a series of leaks, breaches and hacks since the start of the year have revealed that businesses are struggling to digest the rules as customers move increasingly online.
Marriott International said last month that as many as half a billion hotel guests might have had their personal information stolen in one of the largest hacks in corporate history, though it failed to report the incident to regulators for more than two months.
Last week Facebook, which has been embroiled in a string of controversies over its approach to privacy, revealed another leak of private photos belonging to millions of people, prompting an investigation from the Irish data protection commissioner.
The ICO has been encouraging whistleblowers to come forward with information about leaks after the Cambridge Analytica scandal, in which at least four whistleblowers revealed information about data use in political campaigns.
“In recent years, data protection has become a major concern not just of government and regulators, but also the general public,” said Richard Breavington, partner at RPC. “It is not just disgruntled employees who act as whistleblowers, but genuinely concerned individuals.”
Many institutions have yet to improve their data security systems. According to figures compiled by Redscan, a cyber security company, one in four National Health Service trusts in England and Wales have spent no money on specialist cyber security training or expertise in the past year.
Short-staffed regulators have indicated they will take a more active approach to policing businesses. “It’ll take time to build staff,” Ms Denham said earlier this year. “We have started more investigating . . . of social media companies and elections. I’d call that more of a proactive [investigative] culture. The whole approach needs to change.”
Get alerts on Whistleblowing when a new story is published