back to article UK council fined £70k for leaving vulnerable people's data open to world+dog

A UK council has been fined £70,000 for leaving vulnerable people's personal information exposed online for five years. Nottinghamshire County Council posted the gender, addresses, postcodes and care requirements of elderly and disabled people in an online directory that was left accessible to world+dog. No usernames, …

  1. Anonymous Coward
    Anonymous Coward

    Fining public bodies.

    It's basically pointless isn't it? One tax payer group will pay another tax payer group and a bunch of lawyers will get extra fees also from tax payers.

    Until the staff of councils have to pay these fines they will continue to not give the slightest toss about them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fining public bodies.

      It's not the money it's the bad publicity that goes with it that makes the difference. Senior managers don't care about the money; £70k, that'd barely pay for a consultant to come in on a contract to save £70k.

      But they poop their pants at a bad press story and it probably will change attitudes towards signing off stuff without being checked. At least for a few weeks.

    2. veti Silver badge

      Re: Fining public bodies.

      The taxpayers of Nottinghamshire will be, collectively, £70,000 out of pocket. That's money that can't go to park maintenance or bin collections or any of the other useful functions.

      Now the councillors will have to explain this to their voters. An honest explanation would probably go something like "Sure, this cost you £70,000 - but consider, if we had to take precautions against this kind of thing all the time, that would cost you £20,000 every year. So, since 2010, we've actually saved you £70,000."

      I doubt anyone is going to be that honest, but that's how the money ties together. It was the taxpayers of Nottinghamshire who benefited from the council's lack of precautions, so why shouldn't they pay the fine? If they don't like it, it's up to them to elect some better councillors.

      1. nijam Silver badge

        Re: Fining public bodies.

        > The taxpayers of Nottinghamshire will be, collectively, £70,000 out of pocket.

        Peanuts. They've just been lined up to fork out over half a billion for a tram system that is not noticeably better than the bus services it didn't replace. (But at least it obstructs other road users, which I presume is the point.)

    3. Anonymous Coward
      Anonymous Coward

      Re: Fining public bodies.

      Actually working in public sector we're scared of fines as it means fewer resources to spend. We've never had one but just the threat of it keeps our directors on their toes. The loss of public confidence is arguably more important to us (NHS) but it's a difficult balancing act because on the one hand you have common sense and data protection legislation and on the other you have the government pushing us to work with councils and police services, many of whom want the NHS to pay and lead on everything, then share the benefits. We'd frankly rather not share our information with services which don't have any mandated requirement to train staff to the same level as us, who are far more likely to be fined as a result of a breach - because they tend to screw up on a much bigger scale and who don't seem to grasp why we're terrified to let them near mental health information.

      Yeah I'm biased, because I've seen hundreds of examples of councils and the police not giving a **** about the DPA over the past few years and wanting sensitive personal information shared without any agreement between data controllers etc because "it's needed now" when in reality what they mean is "it'd be handy for us to have now" and it's not actually an emergency.

      1. Anonymous Coward
        Anonymous Coward

        Re: Fining public bodies.

        > "Actually working in public sector we're scared of fines as it means fewer resources to spend."

        I'm sure you don't cock up, but the implication there for you is that it's sick people (NHS) who cop the bill rather than the staff.

        1. Anonymous Coward
          Anonymous Coward

          Re: Fining public bodies.

          The staff aren't being found guilty of breaching any ICO ruling or law. It's the organisation which is. That's part of the issue though - we don't go after individuals often enough.

      2. Anonymous Coward
        Anonymous Coward

        Re: Fining public bodies.

        NHS AC said "I've seen hundreds of examples of councils and the police not giving a **** about the DPA" but I have worked for a local council and can say that the attitude of the NHS staff we had to deal with was as bad.

        One in particular would often come round to the Admin team and ask in a loud voice so everybody (in the office) could hear "Who can tell me about so-and-so?" Assuming one of us actually had time to spare (not often, we're overworked too) to help, she would be invited over to that Admin's desk and we would do what we could. And, more often that not, she already had all the information we had and more because WE shared info as we are supposed to - including all due regard for privacy, data protection, not printing it off and leaving it on the shredder because it was full and she couldn't be bothered to empty it, timely sharing of potentially lifesaving information - even though the NHS teams often refused to tell us anything citing data protection!

        Here's a clue - if you need us to provide a service and make sure it is funded, you need to tell us what the service the person actually needs. Simply saying "So-and-so needs homecare" isn't enough - how many calls a day?, assistance with lifting so needing 2 people?, can they cook meals safely?, and so on won't result in the client getting the care they need.

        She was the worst example but some of the others were also a little sloppy when it came to data protection - most of them were more than happy to walk away and leave their computers unlocked and waiting the 10 minutes until the screensaver kicked in, or to discuss all sorts of information when members of the public or people from other parts of the two organisations - who had no Need To Know this stuff - were in the office.

        There are good and bad examples on both sides of the handcart(1) but that doesn't excuse the fact that council tax payers are once again footing the bill for some cost-cutting decision made by someone who has basically gotten away with it.

        (1)The one we're riding to the First Ring...

  2. kain preacher

    Simple fix. Every one in the council is fined 3 months pay.

    1. Aladdin Sane

      You'd fine the bin men for the failures of management and IT?

      1. Anonymous Coward
        Joke

        Re: Every one in the council is fined 3 months pay

        You'd fine the bin men for the failures of management and IT?

        On the upside, those managers and IT people responsible probably won't get their offices cleaned properly or their bins emptied ever again.

        1. Terry 6 Silver badge

          Re: Every one in the council is fined 3 months pay

          The council's premises are probably cleaned by a contract company, anyway. Come to that, who created this "portal"?

        2. Anonymous Coward
          Anonymous Coward

          Re: Every one in the council is fined 3 months pay

          "You'd fine the bin men for the failures of management and IT?"

          In Birmingham that may be a very popular option at the moment.

      2. Anonymous Coward
        Anonymous Coward

        > "You'd fine the bin men for the failures of management and IT?"

        That's what happens in the private sector, when the company does badly everyone in the business suffers, sometimes lose their jobs even.

      3. splodge

        Bin men have not been employees of Nottingham council(s) for years. They work for Veolia, unsurprisingly

    2. Stuart Halliday

      So why should the cleaners, child minders, librarians, security guards, drivers get fined for lousy IT?

    3. Anonymous Coward
      Anonymous Coward

      Well, you could have everyone part paid from a bonus pool and that pool is used to pay fines first.

      Everyone in an organisation is responsible for the way it functions to some extent.

      1. Triggerfish

        Everyone in an organisation is responsible for the way it functions to some extent.

        You know having worked as a temp answering bin calls for a council, I am pretty sure I had no say in the IT infrastructure of the place. I don't remember anyway coming round asking me for my opinion of the firewalls or processes they had in place.

  3. Anonymous Coward
    Anonymous Coward

    I hope they are prosecuting the member of the public too ...

    seems SOP these days ...

    1. Roland6 Silver badge

      Re: I hope they are prosecuting the member of the public too ...

      Nah! Just got them an invite a DefCon and the FBI will do the rest...

  4. Anonymous Coward
    Anonymous Coward

    More than likely....

    ...someone internal would have reported this in IT but been ignored by management. Happens all the time in local government.

    1. 0laf Silver badge

      Re: More than likely....

      It probably ordered to put it in quickly and shut up about any problems.

  5. Prst. V.Jeltz Silver badge

    Lets see how many people are going to comment " Fine or sack the directors!"

    <popcorn>

    1. Anonymous Coward
      Anonymous Coward

      There should be accountability, at the highest levels. Therefore, the various technical design authorities, CIO, COO, Heads of Service, Head of IT, Data Stewards and System Owners need to understand the implications. Whether that is "Fine or sack the directors!" or a KPI to monitor to ensure it doesn't happen.

  6. Chris G

    Train them

    In the past before council services went to hell and Capita, council employees had to attend health and safety , first aid and other obligatory courses. With health and safety they had to sign to say they had attended.

    Given that almost everyone in a council office is almost certainly working with a computer terminal at some point in their work and the fact that data security and breaches are so important and far reaching. I would suggest that ALL workers should attend an annual IT security course, sign to show they have attended and be held responsible for lapses like that in the article. No traini g certificate no work relating in any way to IT.

    Independent oversight to ensure the quality and relevance of courses would be useful too.

    1. Commswonk

      Re: Train them

      I would suggest that ALL workers should attend an annual IT security course, sign to show they have attended and be held responsible for lapses like that in the article.

      Impossible to argue against that, but I might argue that a data protection failure would not necessarily be covered by IT security; data protection is the responsibility of an organisation's Data Controller - capitalised because it is a responsibility mandated by the DPA. AFAIK there is nothing that requires the function to fall within "IT".

      At the same time if the data was set up to be accessible to "social care providers" then it follows that it passes outside the boundaries that the (Council) Data Controller has to take responsibility for; each of the "social care providers" would have their own Data Controllers (I hope!) who would each have to oversee how the data was managed once it was in their own organisation's possession.

      Although I would not say that it happened in this case it is entirely possible that the best efforts of one organisation can be completely undone by carelessness, stupidity, or malice in another. (But see Hanlon's Razor!)

      It might be interesting to know (even if not wholly relevant in this case) how many "social care providers" have proper Data Controllers to oversee the proper management of client data, and how many organisations have breaches of the DPA as a disciplinary offence down to the individual employee level.

      1. Chris G

        Re: Train them

        My point about training is that everybody who would access such a database should be aware that if they don't need any authentification to access it, then nobody else does. With training in place it would then be everyone's responsibility to report a lapse in security. When I left the UK in the '90s , health and safety was reaching the point where the individual had been trained and was therefore as responsible as anyone else for an accident related to a lapse in H&S procedures.

        If a machine has no guard that is first a management failure, if an operator uses it and sticks his head in there past where the guard would have been he is also responsible for ignoring both the missing guard and unsafe work practice that he would have been trained to avoid.

        Clearly the form and type of training should to some degree be dictated by the trainee's function within the system.

        1. Yet Another Anonymous coward Silver badge

          Re: Train them

          Then you get to a point where everyone's job becomes compliance arse covering.

          Little-old-lady (tm) rings up to ask about her heating. Your priority is making sure that you have ticked all the boxes rather than helping her. If you miss asking her the correct 32 digit case number at the correct points during the call you can get fired, if you just hang up you are safe.

        2. keithpeter Silver badge
          Coat

          Single sign on - Re: Train them

          "My point about training is that everybody who would access such a database should be aware that if they don't need any authentification to access it, then nobody else does."

          @Chris G

          I log into a PC that is a network client on my employer's system. I access stuff on Intranet, say a business application. I notice that I can access the application directly, but I'm assuming that is because I have logged into the PC because most of the business applications I use are single sign-on. If I had advanced knowledge, I might notice that the application does not obviously reflect my user name, but, then it may be that the nature of the task does not require my details especially or depend on my 'role'. It would not occur to me normally to access the application from a device outside the organisation because, well, its for work isn't it? I would not therefore realise that the system was wide open.

          The system in the OA was found using a search engine query from a random member of the public. It strikes me that the outer portal may have had a username/password challenge but that the files inside/cached pages whatever may have had incorrect file permissions/acls set by the original designer. As others have said, the original designer may have been the employee of a contracting company, possibly as part of a semi-shadow IT project (penumbra-IT?). The lack of a cynical BOFH type poking sticks at the thing just to see what they can see does strike me but perhaps they have been outsourced.

          Perhaps certification of some kind for any application (business to business or whatever) that holds confidential information would be the best route? Ensure the ruddy thing doesn't leak round the edges in the first place. What I think I'm saying is that you need a technical remedy for a technical issue of design rather than a social remedy in the form of 'training' and the resultant dumping of accountability onto end users. A technical solution is applied once in the form of robust design. The social solution has to be repeated indefinitely and results in many possible points of failure.

          Coat: Mine's the one with completion certificates from 9 (yes 9) mandatory training courses I have had to complete this year - I'm a teacher.

      2. Anonymous Coward
        Anonymous Coward

        Re: Train them

        National Information Security Directive that's coming at some point may require an IS version of the SIRO. Problem is it needs teeth to go with it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Train them

      "Given that almost everyone in a council office is almost certainly working with a computer terminal at some point in their work and the fact that data security and breaches are so important and far reaching. I would suggest that ALL workers should attend an annual IT security course, sign to show they have attended and be held responsible for lapses like that in the article. No traini g certificate no work relating in any way to IT."

      Staff do have to undergo IT security/data protection training on a yearly basis. At least they do at the Council where I work.

  7. andy 103

    So, what actually happened? Details, details.

    It would be interesting to know more details about how they "posted" these details.

    What this suggests is that a file has been placed within their publically accessible web space, and then possibly indexed by a search engine.

    However, there are a lot of questions over that. Firstly, how/why had it been put there? By who? For what purpose?

    Or was it a sloppy developer who built a web application where it wrote files containing form data to the web root (yes, seen it happen) and those were indexed? Was it a developer, or a non-IT member of staff?

    Fining people alone isn't the answer. Knowing about what has happened would actually help in situations like this, but no doubt they'll do some "investigation" and be non the wiser themselves. Each party will blame the other, etc etc.

  8. Anonymous Coward
    Anonymous Coward

    cost per person

    So the value of PII is £23 per person?

    1. 's water music
      Joke

      Re: cost per person

      So the value of PII is £23 per person?

      Once that is amortized over five years I am pretty sure they could cover their loses from the fine by selling google a license to keep using it

  9. Anonymous Coward
    FAIL

    IT is difficult; secure IT is next to impossible..

    So outsourcing everything to the cheapest IT shop is not very clever.

    1. Derezed

      Linkage

      Have you got a link to the source that tells you that this project was outsourced instead of some council employee giving their nephew "who is very good with computers" free reign to build a piece of shit web front end using some ill developed PHP skills?

  10. Anonymous Coward
    Anonymous Coward

    So the ICO

    actually gets to collect. But ONLY because it's a government body that's been fined, a local council.

    So the council has simply coughed up to save face.

    Yet the ICO are totally ineffective at collecting fines from cold calling companies who simply wind up the business, fuck off for a fortnight, then magically reappear with a new name and new director.

    So, the council tax payer has paid the fine for them.

    Great, thanks for that you set of twats.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like