
Barnet Council
Tax payers fined £70K for council's data breach.
Council head Social services worker commented "at least it hasnt cost us anything, we'll carry on as normal"
The UK's privacy watchdog has fined the London Borough of Barnet £70k ($111k) after the local authority lost extremely sensitive information about young children for the second time in two years. The latest loss occurred when a social worker took paper records home to work on them out of office hours. The staffer’s home was …
It works because the people at the top, who should be making sure that these "mistakes" don't happen through appropriate leadership and management, are completely isolated from any consequences. If the people at the top - particularly the chief execs - feel the pain caused by the inefficiencies and lack of competence of their employees they will make damn sure that they start doing their job properly.
The question that noone seems to be asking is why they had to take these files home to work on them in the first place. I know several social workers and my bet is that they are so snowed under that they had to take work home with them to try to keep up with all their targets (usually set by people at the top who couldn't do the job for which they are setting targets and thus have no clue how achieveable they actually are) .
Perhaps if councils actually paid attention to their own case load limits (my mother, for example, has had to handle case loads 3 times the recommended maximum) and hired more people to cover the cases, rather than relying on people taking the extra work home with them, case files wouldn't be leaving the building and ending up at workers' houses in the first place. But that would cost money of course. Oh, and you'd need to persuade people that taking on the shitty job that is social work is a worthwhile career move.
Perhaps if the idiots who keep taking work home and keep working far more hours than they are contracted to stopped doing so the work wouldn't get done and then it would be noticed that they need more staff and/or the targets are not sensible. You cannot complain about work load if you just accept it. Make a noise.
And if they don't get done, the cases collapse, they get struck off the registration and then become unemployable.
Don't believe it , look at Baby P. Many people could name the evil Head of Social Services and the Social Workers, but very few could name the killers.
Yup what a fucked up world we live in.
Most social workers utterly refuse to work in child protection due to the extreme pressures they are under (see how many go off work due to stress).
maybe if ass hats stop looking at the one case where they failed and the 10,000 they succeed in, then maybe more people would want to do the job, but for several years at Uni and for £30k a year would you risk being punched, kicked, overworked or hounded in the press ( or by dickheads on forums)
I wouldn't.
OK, so social workers who visit families have to take some records with them when they visit. If they visit more than one family they might have a number of records with them at any one time. What happens if they get robbed during such a day? Should all such data be always held on encrypted laptops with encrypted memory sticks.
What about the families themselves if they hold copies of such records. What happens if they get burgled. Does the council get fined for this incident too?
a laptop with a TPM chip (fairly standard nowadays) and running bitlocker to keep the contents of the drive secure. Strong password and/or two factor auth for login. It's not difficult.
if they don't want that level of complexity and can assume a decent data connection then do everything via a citrix or RDP connection from a minimal spec laptop that never has any data on it
once again... taxpayers fined because jobsworths don't do theirs.
Given that schools are now starting to deploy TrueCrypt on staff laptops that go off-site, it's hardly a burden.
Instead of just turning the machine on, you type in a password for the drive. It then boots. End of story. Without the password, the laptop data is useless.
Cost: £0.
Performance loss: Negligible
Security: Virtually perfect (as perfect as you can get when people have to memorise passphrases, or carry two-factor authentication sticks at least)
Liability when something is stolen: £0.
Hassle to the end user: "Enter your password" (which they would have had to do to print out that data anyway!)
I work for an organisation that works with sensative data too. We've worked round this problem in our area by not taking the actual data out of the office ever, whilst making it availiable to vising officers.
How do we do this? With ease.
Our visiting officers take a laptop with them. The laptop has a sim card in it. The visiting officer uses this to connect to our SSL VPN network, does the work that they need to in the customers house, accessing all of the systems that they have in the office over the end to end encrypted connection. When they've finished, they log out of the service, and shut down the laptop.
Nothing that they've done whilst out of the office is ever on the laptop. The laptop is secured with a username/password that is tied to our network as wall, but there's no sensative data on it ever anyway, so even if it is stolen, there's no issue. Quite why other organisations like ours can't manage this too I really don't know.
If anyone can spot any problems with our setup, I'd love to hear them, always willing to learn, and inprove.
I work for a council supporting the social care dept and we tried this last year. Ever tried getting a reliable 3G connection inside someone's house, residential home, hospital ward etc in a provincial town? You can, but it's very, very patchy, resulting in lost data, appointments abandoned half way through, or info just copied onto paper anyway and typed up later. And that was just accessing a secure website - trying to get a Citrix connection was an unpleasant joke in half the locations tested.
So we're having to develop an offline app that will hold any data needed (on an encrypted device, obviously) and then upload/download whenever it next gets a usable connection.
Roaming is fine if you roam to a set of definable locations where you can be sure you'll be able to connect (e.g. home, another office, cafe etc). It's not so great for having to go anywhere, wherever the work takes you.
Fines for companies do not work, fines for individuals do.
Rather than fining the councel for the loss which really doesn't affect them, they should have worked out the total fine, and split it between the responsible parties.
If I were to cock up and my company was fined iuno, 70k I couldn't give two shits. If I cock up, and I was fined 2k, as well as the management who should have put stuff in order to stop me from causing the offence then I'd think "oh shiz"
The real debating point here, is (a) why the employee was allowed to take sensitive *paper* documents out of the building (which is presumably classified as "secure") and how they were allowed to take them to a private address, where a partner, child, visitor could have had sight of them.
I am a massive fan of working from home (do it myself), but it really needs carefully policing where sensitive data is concerned.
What concerns me most, about these LA data breaches, is how we NEVER hear anything afterwards. Was anyone whose data was leaked affected ?
One of the people I follow on Twitter tweeted that he was told by ICO staff that the commissioner did not want a battle with Google. It's hardly surprising I suppose when you see that sort of attitude being displayed that you end up with a regulator that never seems to enforce the law where the private sector is concerned. It's still a pity though (and awfully convenient for them that they have a case management system that doesn't take the type of organisation into account - thus making retreiving statistics on past cases virtually impossible).
This post has been deleted by its author
Could be under-age kids that are involved in gangs and required/pressurised into performing sexual acts, there's a number of horrible scenarios out there as to why this sort of information is on file. It's probably best to stick to questioning why the Council is so shit at data security and who should take the blame within that Local Authority.
the laptop was encrypted. the paper files were stolen from someone's house, after they printed them out. I guess the only solution is advise people to stop printing sensitive documents at home.
And : "how were they even getting details of said "sexual activity"?"
A social worker probably just asked them, whats the big deal. I think most IT bods would be amazed how hard it is actually doing a proper job (eg being a social work).
I have to post anon because I am connected to people in the social work department in my local authority area, and they paint a very worrying picture of what is happening due to cutbacks.
The local authority discovered that they can reduce costs by reducing office space and making employees share work spaces. This has been termed 'hot desk', currently in my area there is up-to 5 staff members sharing the same desk, due to limited time and access, social work staff are now being required to take their case work home and complete any reports at home (non paid work). This includes taking digital files and hard copies home.
Additionally, since they have reduced office space, they have also removed secure storage facilities, and each social worker is now responsible for storing any hard copies themselves.
One staff member shared with me that they keep their case files in the car. When they get home they wait until it's dark and sneak the files into their home where they keep them locked up. Everyday they have to take the files back to the office, but since there is not enough storage space, the sensitive reports follow them wherever they go.
The local authority will not address the issue as they are being required to make the cuts, and the worry for most of the social work staff, is that if the files get lost or stolen, they will be the scapegoats, even though the decisions made by the local authority (and Government) has forced the staff to work in such a haphazard manner.
It will be only a matter of time, before more cases like this emerge, but unfortunately the social workers cannot speak out to highlight the issues in fear of losing their jobs.
I've worked in small companies that have this sort of thinking.
From the article.
"when a social worker *took* paper records home to work on them out of office hours"
Usually a sign of senior management being clueless. On the kind of money senior council management posts get there is *no* excuse for being this ignorant.
It's called *data* management for a reason. As in *all* data.
Not "file* management. Not "computer" management.
Quick & dirty solution. Scan *all* documents in and save to TrueCrypt locked hard drive.