Nearly 10,000 people have been hit by data breaches at the hands of the BBC over the past nine years, according to data seen by Business Insider.
As part of the British broadcaster’s television licence collection activities, it has lost audience information including bank account details, mobile phone numbers, addresses, and signatures.
Collection of the £145.50 television licence fee is overseen by the BBC’s TV Licensing arm. The majority of its work is contracted out to services firm Capita Business Services.
In total, 9,560 people have been affected by 156 data breaches since 2007, according to a Freedom of Information Act (FOI) request.
The BBC explained in the FOI response that it handles 25 million licence fee accounts in the UK and takes data security “very seriously.” It added: “We have a comprehensive set of controls in place to protect it.”
The breach that affected the highest number of people came in 2011 when one incident involved 3,291 individuals. There was also a big breach last year, when the details of 494 people were lost. The vast majority of these 494 people worked for Capita, which is responsible for licence fee collection on behalf of the BBC’s TV Licensing arm.
Eleven cases were considered serious enough to report to the Information Commissioner’s Office (ICO). One took place for last year, when the first line of a licence payer’s address was lost, while nine incidents pre-dated 2013.
There has also been a sharp increase in data breaches over the past three years. Between 2007 and 2012 there were 12 breaches a year or less, but this figure jumped to 22 in 2013 and 53 in 2014. There were 40 cases last year, while there have been 21 cases from January to the start of August this year.
In the FOI disclosure, the BBC said: “We do not believe the figures in the disclosure log reflect a growing number of data breaches but rather demonstrate the increasing vigilance of staff in identifying and reporting data incidents.”
The BBC added:
“TV Licensing has a comprehensive database of around 30 million domestic, business and other addresses across the UK, with over 25 million TV Licences in force. We ensure that staff access to the database and other associated systems is only permitted if their job requires it.
“The different levels of access are monitored rigorously and staff members receive mandatory data protection training, as well as regular briefings on the importance of protecting personal data. Whilst we attempt to minimise the number of data losses or breaches, with an operation of this scale, data incidents do occur sometimes.
“Accordingly, we have a robust and well established process in place to address such incidents, as and when they may arise. All incidents are recorded and investigated, and appropriate action taken.”
A spokeswoman for TV Licensing underlined the fact that only one data breach has been reported to the ICO in the past three years. She added that the “vast majority” of breaches “involve no sensitive personal data” and were the fault of a “third party,” such as the Royal Mail or the courts.
The ICO does not classify bank account details, mobile phone numbers, addresses, and signatures as “personal data.” Information it does classify as personal includes:
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Physical or mental wellbeing
- Sexual preferences
The TV Licensing spokeswoman said: “We take our responsibilities under the Data Protection Act very seriously and have robust processes in place to take all necessary action when these incidents do occur.”