Child abuse files stolen from council worker in PUB - £100k fine The UK's data protection watchdog has fined two English council bodies a total of £180,000 after finding they had failed to keep "highly sensitive information" about children secure. Croydon Council was fined £100,000 after a bag containing papers about a child sex abuse court case was stolen from a social worker in a pub in …
Grubberment department sanctions other grubberment department by moving taxpayers money about. Still be fair, if they didn't do something to use the "fines for loosing stuff" budget it would be cut back the following year.
Lets see, last place I worked.
Sharing your password - Immediate sacking.
Leaving sensitive information unsecured on your desk - Immediate sacking.
Copying data to either an un-encrypted laptop or USB device - Immediate sacking.
Failing to lock your workstation when away from workstation - possible disciplinary action.
Causing the company to be fined 100K - FFS, Immediate sacking, wife sold as a sex slave, children sold to vivisectionist, and emigrate if you ever want to work again.
Meanwhile council wan^H^Horker who loses information about vulnerable children in pub - annual increment.
They need a lesson in reality, don’t they.
....Did you work in the UK, Field Marshal? If so, was it within the last 20 years?
Under UK employment law, you can't be "immediately sacked" for any of the things you mentioned (possibly with the exception of losing the company 100k) as none of them are definable as gross misconduct. Disciplinary action may be invoked in some of those examples, but there are various procedures that must be followed during such action before dismissal can be considered, and then only as a final recourse, just about anything else can be considered as either unfair or constructive dismissal and that gives you a legal case to put before an employment tribunal.
Unless, of course, they had been included as specific clauses in your employment contract and you had voluntarily agreed to them.
Oh, and if you work in a "secure government role", in which case you can certainly be dismissed if you cause a serious breach of security through direct action (but not INaction).
"WTF was this information doing floating around outside the office anyway"
Well lets see, they could of travelled 200 miles to a meeting or a client which required mountains of paperwork and then god forbid, after a 12 hour day, this personal ,may , just may, wanted something other than a limp sandwich to eat.
If that sound far fectched, trust me it's not, I'm married to a social worker and know about 20 others, and 400 mile round trips are not uncommon.
But I guess your solution would be to get up at 5 am, pick up the documents from the office, drive 200 miles, do the meeting, and then drive back, without any stops (including petrol) and then deposit it straight away back in the office.
Before you say use VC, well good luck getting doctors, police, social workers, health visitors and not forgetting the "clients" all hooked up and working.
But hey you sit on your ass and type away all day while the rest of us live in the real world.
What is suggested is a sensible idea. (in lieu of proper secure electronic linkage)
It will not happen
The council officer that suggests using a courier service on a regular basis to move the confidential data, will be volunteered for redundancy at the next round of job cuts, for "wasting money".
Councilors (the elected), are only interested in spending money on vote winning stuff, not data security, which they don't understand anyway.
This goes with the number Data Protection officer posts that have been cut in local authorities, with the role dumped on some other officer as his 3rd or 4th duty responsibility, on top of running whatever department or directorate in the council.
Most data heavy organisations with £300m+ turnover, 5000+ staff, and 400+ business functions, would normally have a full time security manager, however in the average local authority this is just tagged on to the back of somebody's JD.
So if anybody wants appropriate security at your council, go see your counilor, and tell him that unless he gets security sorted you are going to vote for somebody who will. This is the only way to improve the situation.
@ Despairing Citizen
Agree with everything you say. You speak the truth sir.
It's the same throughout the public sector. I work in IT for the NHS and it's exactly the same here. Thankfully the lower payscale workers (i.e. anyone who isn't senior management or a doctor) now recieves training on data protection issues.
However with inevitable predictability it's the senior managers and doctors, who can't be bothered to turn up because they''re far too important, who are the main culprits of data protection breaches.
I'd love to list off the examples I've seen with my own eyes but again with inevitable predictability the senior managers and doctors concerned walk away totally and utterly scott free while if I were to mention the breaches here and got found out I'd be out on my arse faster than you can say Data Protection Act.
NHS Reform? Yeah, sack half the managers. No one would ever notice. I promise.
"But hey you sit on your ass and type away all day while the rest of us live in the real world."
In the "Real World" ®, many people that lost that sort of sensitive / personal data would be instantly sacked without compensation.
".. your solution would be to get up at 5 am, pick up the documents from the office, drive 200 miles, do the meeting, and then drive back ..."
Mny people do actually do just that. For 6 months, I drove to places in London (av. 260 miles) and back 5 days a week, leaving home at 5 am and getting home 9 - 10 pm after a full days work.
For 10 years, I was a school governor. In that time, I had to sit on a large number of committees at which social services were required to attend. In that time, about 40% of meetings were wasted because the social worker never turned up, or when they did so, they had the wrong information.
I would also highlight that they were always paid even when they didn't turn up; my colleagues and I didn't even claim expenses. Whilst I do have some sympathy for the work that they do, my view of most social workers is not a positive one. And I would suggest that many others feel the same way from similar experiences.
"In the "Real World" ®, many people that lost that sort of sensitive / personal data would be instantly sacked without compensation."
Err.....no. They may face corrective or disciplinary action, but an INSTANT sacking would be a breach of UK employment law. Also, it is not in the employers power to decide whether they would be "compensation" or not; that will either be a clause in the employment contract or at the discretion of an employment tribunal or court.
"Mny people do actually do just that. For 6 months, I drove to places in London (av. 260 miles) and back 5 days a week, leaving home at 5 am and getting home 9 - 10 pm after a full days work."
If this amount of travel is a requirement of your employment then your employed may be in breach of the EU working directive laws (limiting your working hours to 48 per week, INCLUDING travel times) and possibly also in breach of the UK employment laws which state that an employee must be permitted 11 hours between shifts (defined as a "working period") before being required to return to work.
Folks, there are a lot of knee-jerk "Sack them/I'd be sacked" stuff being posted on this forum; I *strongly* suggest you find out about your employment rights, get a copy of your contract (if you don't have one, you're being illegally employed) and join a union!
Get educated before your employer tramples you in the name of profit or simple expediency.
I reckon a lot of employers are in breach of a lot of laws regarding welfare of staff, but they can get us to work for them anyway because we and they know another mug is ready and waiting to earn a crust.
"A-ha! Just do what you're legally obliged to do because you can't be sacked."
Yes, great solution until you end up in an arms race where minor infringments become disciplinary matters instead of informal chit chats until, eventually, you find yourself out of a job having no reference. There's no end of rules and bullshit they can make up if they don't want you there. It's best in most cases just to shut up and take the shafting, or find another job. Not all of us are prepared or so financed that we might drag it through the courts where a 50/50 result awaits at the outcome.
You can make up as many excuses as you like, but allowing personally sensitive data out of your sight in a public location such as this is a massive herp derp. It's not a one-off, it's a sadly repeated state of affairs across all sectors and it seems no one is learning from these errors because they do not punish the culprits - just our tax.
This information should never have been taken into the pub - lock it in the car after your 400 miles round trip. If we backed up our commercially sensitive data on a public facing blog instead of a secure storage server, we'd be rightly crucified. Leaving written data unattended in a pub is the same thing.
I have personal data on my laptop relating to the students I support and I regularly make trips of that kind of distance.
My bag gets placed on the seat next to me, preferably between me and the wall. When that isn't possible, it gets placed between my legs - often with my foot hooked through one of the straps. No-one can get to my bag without seriously invading my personal space in a very noticeable way.
There is simply no excuse for having your bag stolen in a pub.
This post has been deleted by its author
I hope the social workers who "lost" the documents in the pub had his bank accounts checked for unexplained wodges of cash being deposited.
I mean, if you carry records like that, you don't let them out of sight, even in a pub, you keep hold of the damn bag at all times. If you ask me, its very suspicious.
The councillors would just claim the fine on expenses. Until someone is sacked for an offence like this, attitudes will not change.
Being a data protection officer is not just being registered with the ICO, it is being responsible for protecting data. The managers above the DPO are equally responsible for ensuring that procedures are in place.
In private industry, heads roll when there are data breach screw-ups, it may take time, but someone (not always the right person) is made pay. Why is it that this never happens in the public sector?
"In private industry, heads roll when there are data breach screw-ups"
Alas, that, too, is complete bollocks. People just hide behing employment law. If you try to sack someone for being utterly shit at their job and frequently disclosing confidential information they will just claim they were improperly trained and take you to tribunal. It is damn near impossible to sack someone for incompetance these days.
We have a HR manager that frequently miss-uses the Outlook Adress Auto-complete feature to send confidential information to all and sundry - but feck-all ever happens.
Unfortunately "New Liars" got rid of surcharging
and
the Clownservatives got rid of the public body responsible for checking what the elected idiots get up to. (Please note appologies to the roughly 10% to 20% of councilors who do, or attempt to do, a decent job)
I have said it before, take the fines out of the senior managers salaries, they are supposedly being paid to take the big risks associated with their roles and also in cases like this, fine the actual people who were negligent with the data.
Fining the council, as cornz said, just comes out of the tax payers pocket.
[We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen. ]
Please explain this in laymens terms, does he really mean that even though they KNOW in advance that bags may be stolen that they still ACCEPT to allow employees to carry sensitive information within said bags.
Isn't that a little like asking ham fisted morons to deliver loaded guns with faulty triggers. " We know that someone will eventually drop a gun - like all of us - sometimes people just get shot"
If this information is so sensitive why is it being delivered by council employees ?
Worst case scenario should be a signed and tracked delivery.
Better case scenario : the information is retrieved from the council office by the "verifiable" intended recipient.
Best Case Scenario : Well there is none really because a member of "Anonymous" would have already cracked the secure login, hacked the database, distributed the case files to the Sun and then denied everything.
If this information is so sensitive why is it being delivered by council employees ?
Errr who else do you propose delivers it?
Worst case scenario should be a signed and tracked delivery.
What like a couple of CD by courier? What happens when it gets lost in the post.
Better case scenario : the information is retrieved from the council office by the "verifiable" intended recipient.
Riiighhhhhttttttttt. Hi Mr & Miss Scumbag, No 99 scumbag towers. Any chance you can come to pick up the documents relating to your child protection order.
Thanks,
Hugs and kisses, Social Serivces.
Shheess, some people in IT really live in a fucking bubble.
[Errr who else do you propose delivers it?]
Why not use professional delivery people, thats why they exist.
[What like a couple of CD by courier? What happens when it gets lost in the post.]
And just what do you think "tracking" is actually used for.
[Riiighhhhhttttttttt. Hi Mr & Miss Scumbag, No 99 scumbag towers. Any chance you can come to pick up the documents relating to your child protection order.]
Thats exactlly what I have to do when I get a new passport, I have to go myself, with my papers, to the consulate. Where's the problem, I prefer doing that than taking the chance that some numpty loses it in the pub.
[Shheess, some people in IT really live in a fucking bubble.]
Please describe the "fucking bubble", I think you will be surprised to learn that most of us actually do have lifes and are capable of a reasonable amount of rational thought..
"And just what do you think "tracking" is actually used for."
We've had couriers lose full 32u racks! Tracked or not tracked they still loose them. I've had a passport lost via courier, so they still get lost.
"Thats exactlly what I have to do when I get a new passport, I have to go myself..."
Right, so getting a new passport is the same a some alcholic, crack addict potentially losing there kids. Yup exactly the same.
As for living in a bubble? Yes we do, just as most other professions do. Ask a Social worker / Doctor / Teacher how good and usuable their IT is and see what answers you get. Hell half the time they have to print the documents because the remote working is so utterly shit, they have little choice.
Just reading your post makes me realise just how lucky I am not to be an unlucky bugger like you.
Lost a 32u Rack, a passport, knows alcholic crack addicts that are about to lose their kiddies and apparently is aware of some major IT problems in relation to their Social worker / Doctor / Teacher.
It is starting to sound as though the common point on all those affaires need changing.
Go for a Holiday it sounds like you need it and if you work for an IT department change your job, judging by your attitude it appears normal that whoever you provide services to is bloody unhappy.
You don't wok for the council by any chance...... and deliver parcels to make up for poor wages........and then forget to take your bag at closing time........
"As for living in a bubble? Yes we do, just as most other professions do."
I won't disagree with you - "silo mentality" is a big problem in most industries and IT can be one of the worst. Too many IT professionals suffer with delusions of adequacy
"how good and usuable their IT is"
That will depend on a number of factors; all too often people complain that something doesn't work when in fact they don't know how to use it (or what they should be using it for). This is another very common problem, and if I had an answer for you, I would probably be making millions.
"the remote working is so utterly shit"
Remote working is not new, and there are lots of people that use it on a daily basis. We have several sites over the UK and Western Europe, with a number of people working remotely every day. It can be very effective (I was managing an ERP system from a hotel room in another country a month ago) but only if the people using it have been trained.
That doesn't mean that remote working is always going to be ideal - if you are trying to work on a crap broadband connection, or a piss poor wifi, then you will have issues. Equally, if you have a half decent connection, but everyone and his dog is streaming the news / pr0n / last nights footie match on the same connection, it will be a less than stellar experience.
But none of that is an excuse for someone taking sensitive documents into a public place and losing them; and the main issue is that this happens over, and over, again. As many others have pointed out, once again it is the taxpayer that will foot the bill; surely we now have the right to ask why we are having to stump up cash because once again, someone has fouled up?
Indeed, my sister managed to use Citrix for many years - and she still thinks the tower is the hard drive (despite my having showed her one, then a few years back her new Acer having to go back within a week because the hard drjve failed, and despite the fact I recently pointed out my external hard drive enclosure to her. On second thoughts, don't get me started about my sister!).
"Why not use professional delivery people, thats why they exist."
Ok, now find a professional courier service.....
I have had lots of problems at a number of organisations, finding a courier service that didn't wreck the engineering drawings being sent off site for scanning. This includes large national and international courier companies.
If it is really that imprortant for secure delivery, then doing it in person is probably the best chance of getting towards 100% success, and at least there is a clear line of responsibility.
PS
the best courier service I ever worked with was a small local firm, they were significantly closer to 100% than the main national carriers.
IT?????? How did IT creep into this thread, still why let such mundane things like facts interfere with your opinion:-
1) "bag containing papers about a child sex abuse court case was stolen from a social worker in a pub"
2) "social worker hand-delivered a report featuring to the wrong address.
1) was unfortunate, but the social worker should have secured the papers better than that, and 2) is just incompetence. I don't see any IT cock-ups there.
My first thought on reading this "another set of sensitive info lost in pub" story. Why is anybody taking anything like this into a pub in the first place? Presumably it's a matter of stopping off for a quick drink on the way home rather than going out for the evening carrying your work with you. No harm in that in itself, but if the employee is so desperate for alcohol that it overrides common sense, he shouldn't be employed in a responsible job.
...and maybe this person with papers was going to be working from home, or going to court the next day; there's a few reasons they could have had that information on their person.
But in a pub? Really?
Here's a quick policy:
"Use the secure VPN to access electronic documents.
In certain cases you may remove restricted electronic material on encrypted media (do not carry the key with you at the same time).
If hardcopies are removed, these must be signed out to you and you must directly go from one secure location to another (which may include your home or other official location).
Failure to follow this policy will be considered gross negligence leading to summary dismissal.
Any orders to not follow this policy are void."
If they had been mugged at the train station trying to get home, that would be unfortunate and they're not to blame. But seriously...the pub?
Either sack the person responsible or sack manager (if they didn't impress upon the employee the need to take basic precautions).
I think you'll find it's a whole troupe of chimps.
As for no money a few £100k is not uncommon for a management post. You need to get promoted out of front line work ASAP if you want the decent green.
Meanwhile the UK death rate for children known to social services departments remains about 7-10 children a week as the average case load can be around 30-40, rather than the target 20+.
Icon because in the UK socail Services *do* fail the people they are meant to protect, often by protecting the *wrong* people instead.
Let's face it, this is hardly the first time (this week?) that sensitive personal data has been 'lost' by our glorious overlords. Clearly fining the council is absolutely NO deterrent whatsoever as the only people punished (correct me if I'm wrong here) are the taxpayers.
The only way to make those in charge take this seriously is to publicly fire the morons responsible who repeatedly let this happen. If whoever lost the data has undergone training, bye bye to them, if they haven't, sack the bloody managers whose job it is to make sure everyone knows the rules.
Signing bits of paper saying "Sorry, we won't do it again, honest" is not working!
I was going to say that Croydon Council's social services department couldn't organise a piss-up in a pub.
It appears they can, and do.
Seriously though, they do appear to a bunch of bungling fcukwits based on what news coverage I remember from just the last couple of years.
That fact that the £100k fine will ultimately come from taxpayers pockets is the icing on the cake...
They should mention the fine every single time the write about any cuts to council services, or increases in council charges. Remind us of the amount of the fine, the senior manager responsible. Point out that the cut or price rise would have been unnecessary if they hadn't been fined. Every single time.
You can't realistically fine or fire a senior manager if one of the thousands of workers they are responsible for makes a mistake - nobody would do the job. But they should feel the pressure of a lot of angry voters.
I don't think it said the neighbour reported it to the police. If I received personal confidential mail meant for my neighbour, I'd just pass it on (I wouldn't know what it was anyway). If I found my confidential info had been passed to them, I might well make life difficult for whoever did it.
The governance-strategic-executive-operational arms of Councils should really be diverged and divested.
An operational error should not have strategic cost but it should have operational cost.
Sooooo....
Operational wages of council employees should be made up of fixed salary plus a bonus element.
The bonus element is part of council budget where operational costs are taken thereby limiting impact on tax payer, executive or governance arms.
basis: why should service user, governor, falsely termed Director (of department not annointed at Companies House) suffer loss because of poor operational practices?
Ans: because Whitehall dictates without accountability that it was so, is so and ever will be so (so there?)
"Operational wages of council employees should be made up of fixed salary plus a bonus element. The bonus element is part of council budget where operational costs are taken thereby limiting impact on tax payer, executive or governance arms."
A bonus is something that should be paid for doing a good job. Not messing up is not "doing a good job", it's doing your job.
I'm appalled, but I'm puzzled as well. I want to know: why is child safety a _council_ responsibility in the UK?
In Australia, child safety is a _State_ level responsibility, because they're big enough to support the bureaucracy that goes along with it. (Including training, which was lacking along with common sense.) I know you don't have States, but devolving the responsibility onto the councils sounds like madness. If they don't even have the _budget_ for elementary data protection training, perhaps they shouldn't be handling sensitive matters like child abuse.
I live in Brisbane - Australia's largest council - 1.1 million people as opposed to Croydon Borough's 345 thousand. Brisbane's pretty well run as councils go, handling local roads, sewerage, garbage collection and a hundred other "local" duties pretty well. But trust Brisbane to run "child safety" - oh god, no. States or even the Federal government, but not your local council. It just doesn't feel right.
[I should add that councils in Australia are often smaller than their British equivalent, so it wouldn't make sense here to have the UK model. For example, the Shire of Croydon, _Queensland_ has a population of 273. Not much room for a child abuse prevention bureaucracy there.]
The answer to your question is complicated.
One answer is history. Local government had responsibility for education and what early welfare there was. So more things just got tacked on.
Another reason is size. The UK's physically pretty small, but has a decent sized population. This tends to screw up our government in lots of ways. It's too easy for Central Government to try and run things from London, and ignore local differences. That means that we don't have any kind of working regional government (in England at least).
Scotland, Wales and Northern Ireland all have devolved powers in various ways, which have increased in the last few years. Although, to be confusing all 3 are quite different.
We're a small enough country that things can work without being federal, even if not very well. So we've just muddled along.
Weirdly things like police, health and fire services are regional. And often cover different and/or much bigger areas than local government.
I guess we come back to history. Government has developed over centuries, so nothing was ever designed - it just sort of happened.
... is that the ICO makes a big song and dance about $LARGE fines for councils and other govt agencies who can't defend themselves, yet continues to studiously ignore breaches in private industry unless absolutely forced to by public outcry and then lets the miscreants off with a tiny fine on the basis that they can't afford to pay anything.
As for councils running social services OR child safety - I've been in this country a decade and am utterly amazed by the sheer lack of competence and good sense shown by social services.
Incompetent social workers can simply bounce from council to council for YEARS and noone dares give them a bad reference lest they get sued.
Major-league reform is sorely needed but will never happen. There are too many vested interests, not least those of councillors who would see their central govt funding get slashed.
So which bits of the post are you objecting shy downvoters?
The pay of heads of SS depts. I was thinking of the Hd of Dept in the Peter Connoly (baby P) case. Actually IIRC she was on more than £100k.
The estimate that 7-10 children known to SS depts die each week in the UK?
The claim some under performing social services staff in some depts have 2x the level of recommended cases?
The suggestion depts protect the wrong people? Well again with Peter Connolly they seemed to speed a *lot* of effort looking after the mother, failed to recognize there was a new partner in the picture and a group of "professionals" who failed to take a *close* look at him even when he finally got to hospital.
So I'd call that protecting the wrong person. Other cases have involved mothers retaining custody despite serious drink and drug problems despite fathers being ready and willing to take custody.
I have quoted a figure of 7-10 deaths a week of children known to council social services departments, a figure I could recall seeing but could not recall the reference for it.
I have now seen NSPCC policy summary "Child death investigation and review." (2008).
This states that every week 1-2 children in England and Wales are killed "At the hands of another person." It goes on "Every 10 days in E & W, on average 1 child is killed at the hands of their parent" and "Child homicide rates have been broadly similar over the last 30 years."
This does not cover Scotland but it seems hard to believe they would a further 5-7 deaths a week.
While I'm happy that the number is lower than I had thought the fact that it has not *changed* in nearly 3 decades says all that is needed about how big a priority it is in improving it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
