A series of Freedom of Information (FoI) requests targeting local authorities across the UK shows that public sector organisations continue to struggle with data security, with thousands of breaches and incidents reported during 2024.
The figures, compiled by Apricorn and collected from 27 UK councils, indicate that over 2,400 suspected data breaches occurred across the sector last year.
Surrey County Council was the highest reporting authority, disclosing 634 breaches, followed closely by Oxfordshire County Council (451), North Yorkshire Council (406) and Suffolk County Council (328).
Many of these incidents were the result of basic human errors, such as misdirected emails, lost paperwork, or the unauthorised sharing of sensitive personal information.
Notably, Suffolk County Council disclosed six breaches reported to the Information Commissioner’s Office (ICO), highlighting multiple failures including unauthorised access, internal data publication, and inappropriate information sharing. North Yorkshire Council provided similar reasoning. Of the 406 total breaches, eight were reported to the ICO, including three cyber incidents, two unauthorised disclosures, one through incorrect email recipients, one unauthorised access, and one through lost or misplaced data (paper records).
Despite these volumes, several councils sought to reassure by clarifying that not all incidents resulted in harm or formal reporting to the ICO. Cheshire East Council, which recorded 212 suspected breaches, noted that all potential data security incidents and data breaches are reported out of an abundance of caution, but many involved internal-only disclosures or were classified as ‘near misses’. In accordance with internal policies and procedures, staff are encouraged to report incidents as soon as they are discovered, even if they are unsure of the risk at the time.
Similarly, Cambridgeshire County Council reported just three ICO-notified breaches in 2024, all of which were caused by staff mistakes, but the regulator deemed they were handled appropriately.
The FoI responses also highlight ongoing problems with device management. East Riding of Yorkshire Council reported the loss or misplacement of 157 devices in 2024, including 106 mobile phones and 34 tablets. Hertfordshire County Council lost 75 devices, while Essex County Council reported the loss of 33 mobile phones, none of which were encrypted. Essex County Council stated that the devices in question were low-cost, non-smartphone models such as the Nokia 105, which do not support encryption. The use of such unsecured devices raises serious concerns about the council’s ability to protect data on the move.
“Even with training, guidance, and policies in place, basic human error continues to be a significant cause of data breaches across local government,” said Jon Fielding, Managing Director, EMEA, Apricorn. “Add to this the large number of unencrypted or poorly secured devices still in circulation, and the risk to data becomes even more pressing. Councils must ensure that endpoint security is not left to chance, encryption should be standard, regardless of device type, and data handling processes must be reinforced through ongoing staff training and technical safeguards.”
The report echoes Apricorn’s earlier findings on device loss across central government departments and reinforces concerns that public sector organisations continue to underinvest in proactive data protection measures.
“Transparency is vital to improving data protection standards,” added Fielding. “Councils that encourage incident reporting and acknowledge risk, even when incidents are minor, are taking the right approach. But true protection also requires investment in encrypted hardware, secure data transfer practices, and clear accountability across departments.”
