Guarding Trust: Are UK Councils Protecting Public Data?

In our current digital climate, the rapid rise of AI and smarter technologies poses a constant risk to traditional data protection. 

Key takeaways

• Cyberattacks can severely disrupt councils, exposing sensitive resident data, interrupting essential services, and creating significant recovery costs.

• Cybersecurity training standards vary considerably across UK councils, with only a small number demonstrating strong, mandatory, and regularly refreshed programmes.
• Weak or infrequent training increases risk, as human error remains a leading cause of cyber breaches, particularly when elected members are excluded from training.
• New UK cybersecurity legislation is raising expectations, requiring councils to strengthen cyber resilience, improve incident reporting, and better manage security risks.

News headlines increasingly report sophisticated cyberattacks with UK travel companies, high street stores, and local councils all falling victim. While the private sector risks catastrophic revenue loss, the public sector faces the high-stakes challenge of keeping highly sensitive and confidential public data safe.

Conversely, in the public sector, Gloucester Council became victim of a cyberattack in December 2021, leading to the website being down for 11 days and leaving constituents without access to online application forms used to claim for housing benefit, council tax support, test and trace support payments and discretionary housing payments.  

An investigation found that 240,000 files were stolen by a Russian hacker group, with residents' personal information potentially being compromised. In total, it took 18 months for the Council to rebuild its servers and get services running fully again, costing £1.14 million. This illustrates how a single security breach can grind vital services to a halt, affecting both council workers and those who rely on its services.

More recently, Kensington and Chelsea Council fell victim to a cyber attack, writing to thousands of people urging them to be vigilant after data was stolen. Given the sensitive nature of data held, it gave hackers the necessary tools to pose as the local authority and request information claiming to be from the Council.  

The Council shared some affected services with Westminster City Council and Hammersmith and Fulham Council, demonstrating how easily the attack became scaled to affect a much wider area.

Investigating council cybersecurity

To understand how councils across the UK approach cybersecurity training, Skillcast analysed council cybersecurity awareness training policies using FOI responses. To do this, questions focused on the quantity of staff members who have taken part in training over the past year, whether the training is mandatory or not, and the frequency of refresher training.  

These answers were then scored against a ranking system to create an index evaluating mandatory status, refresh frequency, and council enforcement. Councils were then attributed as either Tier A - top performers, Tier B - mid performers, Tier C - needs improvement, or Tier D - poor performers.  

Only four councils out of the 37 involved in this study achieved top-tier ‘A’ status: Belfast City Council, Buckinghamshire Council, Bournemouth Christchurch and Poole Council (BCP Council), and City of Edinburgh Council.

Why is cybersecurity training so important?

Cybersecurity is the practice of ensuring computers, networks, and digital information are safe from attacks, damage, and unauthorised access. For local governments, the key focus is on keeping sensitive data up-to-date, private, and accessible to only those who need it.

With cyber criminals adopting new sophisticated tactics of targeting businesses, it is imperative that any organisation holding sensitive information, and the employees working within these systems, are correctly equipped with the right training systems to reduce the threat of these crimes.  

Councils hold incredibly sensitive information such as electoral records, adult social care and medical data, and children’s services files, so if staff are not receiving regular, high-quality training, the safety and privacy of vulnerable individuals are at risk.

Strong cybersecurity training does more than  mitigate risk; it empowers elected and non-elected officials to report and highlight any red flags they see, ultimately creating a safer and stronger workforce that maintains public confidence in local governments. 

The best-performing councils

Scoring highly across all factors were Belfast City Council, Buckinghamshire Council, BCP Council, and City of Edinburgh Council. All four are deemed to have rigorous, frequent, and fully inclusive cybersecurity training with a confirmed enforcement mechanism, placing them all in Tier A.  

Belfast City Council scored highly due to the breadth and consistency of its training policy. Cybersecurity training is mandatory for all staff, including elected members and temporary contracted agency staff. However, organisations who are contracted to carry out a service on behalf of the council are responsible to conduct their own training.  

Belfast City Council rolls out training to staff on a monthly basis. Because cyber threats evolve continuously, training frequency must keep pace. While the specific contents of these sessions remain undisclosed, the monthly cadence is highly encouraging and may help staff remain better equipped to identify and report cyber threats.

Buckinghamshire Council, BCP Council and City of Edinburgh Council all follow a similar approach when it comes to cybersecurity, requiring all staff, elected members, and anyone using council systems to complete monthly refresher training. 

In the case of Buckinghamshire Council, this refresher training is offered as a 10-minute 
cybersecurity e-learning module and quiz.  

Employee engagement is crucial for cybersecurity training, as a lack of interest can lead to avoidable mistakes for those impacted.

So, by turning training into a short-form learning format, Buckinghamshire Council has tackled these obstacles to ensure that essential training is 
delivered in the most effective way possible.

Where are councils falling short?

The lowest scoring authority in the index is Exeter City Council, which has only implemented mandatory training for all staff, temporary contractors and elected members this year (2026).  

While it is reassuring to see the Council adapt to today's escalating threat landscape, this transition period highlights the urgent need for local authorities to rapidly close pre-existing security gaps. Reversing years of potential vulnerability requires frequent and engaged training, as well as the necessity for a culture of digital vigilance to be built into the workplace.

A stark contrast in training maturity is evident between two authorities. While Kirklees Council couldn’t specify the frequency of initial or refresher training, Crawley Borough Council highlighted that training is mandatory, though refresher training policies were not disclosed. Given the fact that neither authority could provide clear frameworks regarding the frequency of refresher training, both councils ultimately scored lower on the index, ranking in Tier D.  

On the other hand, councils such as Dacorum Borough Council and Maidstone Borough Council have recorded a low frequency of training which has seen them ranked in Tier D. Both councils only offer refresher training every three years, leaving a dangerous knowledge gap which naturally increases the risk of data breaches.

Interestingly, Eastbourne Borough Council (Tier D), Maidstone Borough Council and Kirklees Council do not make cybersecurity training mandatory for elected members, creating a different form of knowledge gap.  

Given that councillors handle highly sensitive constituent information, without the correct training, they can become prime targets for a cyberattack. Despite not holding a guaranteed fixed position within the council, councillors typically serve 4 years in the role, giving hackers enough time to potentially target them.

The compliance risk of withheld data

When met with FOI requests, some councils claimed that keeping historical training records would violate the GDPR storage limitation principle.

However, this confuses individual personal data with high-level training metrics. Without historical data, these councils may struggle to prove to regulators, or the public, that their cybersecurity defenses are actually improving.  

Tracking historical metrics is key to ensuring a successful cybersecurity program is in place. This can help oversee employee retention of cybersecurity pillars like security protocols and phishing awareness, and help identify weak spots where focused, role-specific training can be issued if needed. Historical metrics can also be used for trends analysis, tracking improvements 
in cybersecurity, helping to justify investments in training and to pinpoint where extra attention may need to be paid.

New Cyber Security and Resilience Bill

The government recently passed the new Cyber Security and Resilience Bill, adding to the existing Network and Information Systems (NIS) Regulations (2018). Designed to deliver a fundamental change to the UK’s national security, it can only be assumed that low scoring councils from this research will have more regulations and guidelines to assist in improving their 
cybersecurity.  

Overall, the new legislation will protect a wider scope of organisations, like data centres and IT service providers, and companies will be expected to report a broader variety of cyber incidents within a smaller time frame. Monitoring must be done more strictly, especially on any third party vendors to strengthen the overall safety network of organisations, and regulators will be given more power to force companies to fix security vulnerabilities immediately, with the ability to issue larger fines if there is a failure to comply. 

Want to learn more about how to protect your business against cyber threats?

Our Cybersecurity Compliance Management Hub is designed to help organisations minimise cyber risks and reduce cyber threats. This includes our Cybersecurity Compliance Training Course offers training on recognising cybersecurity threats, advice on how to combat cybersecurity threats, and how to identify sources of information and support.

Methodology

To determine the strength of cybersecurity training across councils in the UK, Skillcast conducted FOI requests to understand how many staff members had taken part in training, whether training is compulsory or not, and the frequency of refresher training.  

The following questions were submitted to 37 councils across the UK: 

- In the past two calendar years, how many staff members have taken part in 
cybersecurity training?
- Is cybersecurity training mandatory for all staff, including temporary contractors and 
elected members?
- In the past two calendar years, how many staff members have taken part in a form of 
refresher training for cybersecurity? 

Each council was then scored out of 75 across three criteria, to create the index:

- If the training is mandatory or not
- How often the refresh frequency is
- Council enforcement

Skillcast was then able to rank the councils against a tiered system to determine the proficiency levels at which each council is currently offering their cybersecurity training.  

Data correct as of March 2026.