Devon County Council – Data Incident and Data Breaches Root Cause Analysis

service:

sector :

Public

KEY CHALLENGES :

Large scale processing, high risk data, complex structure, significant amount of data breaches

The client

 

Devon County Council is one of the largest local authorities in England, processing high volumes of personal data (including special category data). As an employer of thousands spread across the region who are responsible for providing key services to over half a million individuals, managing and keeping people’s data safe is a key priority.

The council had experienced a significant increase in data breaches resulting in the breach of service users’ personal data since the first lockdown in April 2020. There was also a significant increase in high-risk data breaches (where there was a significant risk to the data subject’s rights and freedoms) of which the majority met the threshold for reporting to the Information Commissioner’s Office (ICO). Several of these data breaches also resulted in litigation.

 

What did they need?

 

The initial analysis by the client attributed the cause of these data breaches to ‘human error’ and they wanted Data Privacy Advisory Service to conduct a root cause analysis investigation to further interrogate the causation of these data breaches so lessons can be learnt going forward. The desired outcome was to create an expert report detailing the causation of the high-risk data breaches that were reported within a specific period (18 months), analysis of the root causes, any areas of improvement and the recommended remedial actions as provided by DPAS. Our client wanted to implement measures in place to reduce the frequency of data breaches to improve the overall confidence in their service by the public as well as to reduce their vulnerability to potential sanctions, litigation and/or fines.

 

How did we help?

 

The client chose to engage with independent experts (us!) to conduct a root cause analysis and help them get the funding they need to implement key measures to prevent the likelihood of another significant increase in data breaches.

As part of the root cause analysis to further interrogate the causation of these data breaches, DPAS used a causation analysis method where incidents were broken down by people, process, technology, and ‘other’ to determine the overarching root cause for each incident. DPAS also identified ‘building blocks’ to help shape the implementation of a remediation strategy for the client that would help mitigate the risks associated with data breaches.

 

  • Within each ‘building block’ (ownership of change, standards, policies, guidelines, technology, data ownership, processes, data value, procedures, data strategy) we built their objectives focusing on value, compliance, and culture.
  • From each principle, we designed their deliverables and set out how they could achieve each principle.
  • Once the above was developed, we were able to put a recommended remediation implementation approach together consisting of a road map, delivery options and strategic considerations.

 

DPAS used industry best practices and existing root cause analysis methods to provide structure for the following data protection assessment activities:

 

  • Review existing documentation.
  • Communication with key staff members.
  • Assess causation.
  • Analyse data.
  • Remedial advice.
  • Implementation roadmap.

 

By breaking down the root cause of ‘human error’, we were able to determine the underlying and root causes that contributed to each high-risk incident. This also allowed for some quantitative analysis, that culminated in the remediation suggestions DPAS made.

DPAS conducted this investigation in a three-stage process; incident triage, incident analysis and remediation as shown below which resulted in an expert report that was delivered to the client to help them achieve their objectives.

 

Stage 1: Incident Triage

  • Breach evaluated
  • Risk Profile
  • Key breach factors
  • Initial causation

Stage 2: Incident Analysis        

  • Breach investigated
  • Detailed analysis
  • Secondary causation
  • Data analysis

Stage 3: Remediation

  • Root cause established
  • Remediation proposals
  • Implementation roadmap

 

DPAS recommended that the client need to strengthen their data protection training, policies, procedures, and systems to prevent significant disruption to critical services and reputational damage. In addition, it was clear that mitigating the risks will result in time-saving measures, as less time will be spent containing and monitoring each incident. These time savings also translate to cost-saving measures.

Furthermore, DPAS recommended that the client should review their data management strategy ensuring that it focuses on three key areas, data value, data compliance and data culture. This enabled the client to focus its efforts within key areas of improvement which will yield results in reducing the frequency of data breaches. Additionally, our findings enabled the client to improve its data strategy as well as target available resources to the greatest need. The quantitative and qualitative analysis that DPAS collected also allowed the client to procure additional resources that they need to prevent data breaches.

 

What was the outcome?

 

  • Working with independent experts, our client was able to impartially assess the causation of data breaches within their organisation beyond what was previously understood.
  • Our client was able to quickly identify relevant stakeholders that need to be engaged as part of the development of the strategy.
  • Our independent experts challenged internal perceptions of what the strategy should contain.
  • Our independent experts brought in industry best practices and standards.
  • We transferred skills and knowledge to our clients delivering the strategy together.

 

Following our advice, Devon County Council was able to embed the key principles of data privacy into the day to day lives of its employees. A clear strategy and governance framework has given employees the confidence to manage data safely.

The implementation of the remediation strategy will lead to reduced costs with less time required to investigate breaches and more effective use of employees’ time in training, leading to improvements in risk management.

Human error was the root cause of data breaches. As well as the impact on the data subject and the organisation, errors have a lasting impact on the employees involved. In our interviews with employees, we were able to facilitate personal development with supportive reflective learning. Overall, our interventions aim to improve the employee experience as well as reduce the risks for the organisation.

After we had successfully completed this root cause analysis project for our client, they retained our services to help them with ongoing incident analysis management as well as to help them clear their backlog of data breaches that need investigation.

similar projects

looking for advice?