Council paid out tens of thousands of pounds for data breaches

Ted Peskett, local democracy reporter

One Welsh council has paid out nearly £100,000 in compensation because of data breaches.

The figures, obtained by Data Breach Claims via a freedom of information (FOI) request, show Vale of Glamorgan council paid out £95,000 from April 2021 to March 2024 – the most out of the 12 Welsh councils that returned information on this.

Information on data breaches from 18 out of 22 Welsh councils has been presented by Data Breach Claims, with one council denying the request for information due to security concerns, according to the company.

Other figures from the FOI return show that Vale of Glamorgan Council faced 171 data breaches between April 2021 and March 2024.

Data breach incidents

The number of data breach incidents at the local authority has increased year on year, according to Data Breach Claims.

Figures obtained by them show that 30 incidents were recorded in 2021, increasing to 55 the following year. A further 86 data breach incidents were logged by the council between 2023 and 2024.

However, a number of other Welsh councils faced a higher total number of data breach incidents between April 2021 and March 2024.

These include:

Caerphilly County Borough Council (252)
Flintshire County Council (304)
Neath Port Talbot County Borough Council (267)
Pembrokeshire County Council (597)
Powys County Council (516)
Swansea City and Borough Council (237)
Torfaen County Borough Council (281)
Wrexham County Borough Council (532)

Councils are expected to collect, store, use, share and dispose of personal information or data about individuals, in line with the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA).

According to the ICO (Information Commissioner’s Office), cyber attacks on local authority systems have increased by 24% between 2022 and 2023.

Personal data breaches reported by local authorities, it confirms, have gone up by 58% in the same time period.

Responsibilities

A Vale of Glamorgan spokesperson said: “The council takes data security and its responsibilities under information and data law very seriously.

“An effective internal communications campaign was run in 2023 to ensure staff were reminded of their data security responsibilities and to continue to foster an internal culture of openness in reporting any potential incidents.

“Our reported figures include near misses and low-level breaches that other organisations may not act upon.

“We, however, feel that it is important that we have an accurate assessment of data security in the organisation and are able to learn from all incidents to better protect citizens personal information in the long-term.”