UK council fined £70k for leaving vulnerable people's data open to world+dog A UK council has been fined £70,000 for leaving vulnerable people's personal information exposed online for five years. Nottinghamshire County Council posted the gender, addresses, postcodes and care requirements of elderly and disabled people in an online directory that was left accessible to world+dog. No usernames, …
It's not the money it's the bad publicity that goes with it that makes the difference. Senior managers don't care about the money; £70k, that'd barely pay for a consultant to come in on a contract to save £70k.
But they poop their pants at a bad press story and it probably will change attitudes towards signing off stuff without being checked. At least for a few weeks.
The taxpayers of Nottinghamshire will be, collectively, £70,000 out of pocket. That's money that can't go to park maintenance or bin collections or any of the other useful functions.
Now the councillors will have to explain this to their voters. An honest explanation would probably go something like "Sure, this cost you £70,000 - but consider, if we had to take precautions against this kind of thing all the time, that would cost you £20,000 every year. So, since 2010, we've actually saved you £70,000."
I doubt anyone is going to be that honest, but that's how the money ties together. It was the taxpayers of Nottinghamshire who benefited from the council's lack of precautions, so why shouldn't they pay the fine? If they don't like it, it's up to them to elect some better councillors.
> The taxpayers of Nottinghamshire will be, collectively, £70,000 out of pocket.
Peanuts. They've just been lined up to fork out over half a billion for a tram system that is not noticeably better than the bus services it didn't replace. (But at least it obstructs other road users, which I presume is the point.)
Actually working in public sector we're scared of fines as it means fewer resources to spend. We've never had one but just the threat of it keeps our directors on their toes. The loss of public confidence is arguably more important to us (NHS) but it's a difficult balancing act because on the one hand you have common sense and data protection legislation and on the other you have the government pushing us to work with councils and police services, many of whom want the NHS to pay and lead on everything, then share the benefits. We'd frankly rather not share our information with services which don't have any mandated requirement to train staff to the same level as us, who are far more likely to be fined as a result of a breach - because they tend to screw up on a much bigger scale and who don't seem to grasp why we're terrified to let them near mental health information.
Yeah I'm biased, because I've seen hundreds of examples of councils and the police not giving a **** about the DPA over the past few years and wanting sensitive personal information shared without any agreement between data controllers etc because "it's needed now" when in reality what they mean is "it'd be handy for us to have now" and it's not actually an emergency.
NHS AC said "I've seen hundreds of examples of councils and the police not giving a **** about the DPA" but I have worked for a local council and can say that the attitude of the NHS staff we had to deal with was as bad.
One in particular would often come round to the Admin team and ask in a loud voice so everybody (in the office) could hear "Who can tell me about so-and-so?" Assuming one of us actually had time to spare (not often, we're overworked too) to help, she would be invited over to that Admin's desk and we would do what we could. And, more often that not, she already had all the information we had and more because WE shared info as we are supposed to - including all due regard for privacy, data protection, not printing it off and leaving it on the shredder because it was full and she couldn't be bothered to empty it, timely sharing of potentially lifesaving information - even though the NHS teams often refused to tell us anything citing data protection!
Here's a clue - if you need us to provide a service and make sure it is funded, you need to tell us what the service the person actually needs. Simply saying "So-and-so needs homecare" isn't enough - how many calls a day?, assistance with lifting so needing 2 people?, can they cook meals safely?, and so on won't result in the client getting the care they need.
She was the worst example but some of the others were also a little sloppy when it came to data protection - most of them were more than happy to walk away and leave their computers unlocked and waiting the 10 minutes until the screensaver kicked in, or to discuss all sorts of information when members of the public or people from other parts of the two organisations - who had no Need To Know this stuff - were in the office.
There are good and bad examples on both sides of the handcart(1) but that doesn't excuse the fact that council tax payers are once again footing the bill for some cost-cutting decision made by someone who has basically gotten away with it.
(1)The one we're riding to the First Ring...
Everyone in an organisation is responsible for the way it functions to some extent.
You know having worked as a temp answering bin calls for a council, I am pretty sure I had no say in the IT infrastructure of the place. I don't remember anyway coming round asking me for my opinion of the firewalls or processes they had in place.
There should be accountability, at the highest levels. Therefore, the various technical design authorities, CIO, COO, Heads of Service, Head of IT, Data Stewards and System Owners need to understand the implications. Whether that is "Fine or sack the directors!" or a KPI to monitor to ensure it doesn't happen.
In the past before council services went to hell and Capita, council employees had to attend health and safety , first aid and other obligatory courses. With health and safety they had to sign to say they had attended.
Given that almost everyone in a council office is almost certainly working with a computer terminal at some point in their work and the fact that data security and breaches are so important and far reaching. I would suggest that ALL workers should attend an annual IT security course, sign to show they have attended and be held responsible for lapses like that in the article. No traini g certificate no work relating in any way to IT.
Independent oversight to ensure the quality and relevance of courses would be useful too.
I would suggest that ALL workers should attend an annual IT security course, sign to show they have attended and be held responsible for lapses like that in the article.
Impossible to argue against that, but I might argue that a data protection failure would not necessarily be covered by IT security; data protection is the responsibility of an organisation's Data Controller - capitalised because it is a responsibility mandated by the DPA. AFAIK there is nothing that requires the function to fall within "IT".
At the same time if the data was set up to be accessible to "social care providers" then it follows that it passes outside the boundaries that the (Council) Data Controller has to take responsibility for; each of the "social care providers" would have their own Data Controllers (I hope!) who would each have to oversee how the data was managed once it was in their own organisation's possession.
Although I would not say that it happened in this case it is entirely possible that the best efforts of one organisation can be completely undone by carelessness, stupidity, or malice in another. (But see Hanlon's Razor!)
It might be interesting to know (even if not wholly relevant in this case) how many "social care providers" have proper Data Controllers to oversee the proper management of client data, and how many organisations have breaches of the DPA as a disciplinary offence down to the individual employee level.
My point about training is that everybody who would access such a database should be aware that if they don't need any authentification to access it, then nobody else does. With training in place it would then be everyone's responsibility to report a lapse in security. When I left the UK in the '90s , health and safety was reaching the point where the individual had been trained and was therefore as responsible as anyone else for an accident related to a lapse in H&S procedures.
If a machine has no guard that is first a management failure, if an operator uses it and sticks his head in there past where the guard would have been he is also responsible for ignoring both the missing guard and unsafe work practice that he would have been trained to avoid.
Clearly the form and type of training should to some degree be dictated by the trainee's function within the system.
Then you get to a point where everyone's job becomes compliance arse covering.
Little-old-lady (tm) rings up to ask about her heating. Your priority is making sure that you have ticked all the boxes rather than helping her. If you miss asking her the correct 32 digit case number at the correct points during the call you can get fired, if you just hang up you are safe.
"My point about training is that everybody who would access such a database should be aware that if they don't need any authentification to access it, then nobody else does."
@Chris G
I log into a PC that is a network client on my employer's system. I access stuff on Intranet, say a business application. I notice that I can access the application directly, but I'm assuming that is because I have logged into the PC because most of the business applications I use are single sign-on. If I had advanced knowledge, I might notice that the application does not obviously reflect my user name, but, then it may be that the nature of the task does not require my details especially or depend on my 'role'. It would not occur to me normally to access the application from a device outside the organisation because, well, its for work isn't it? I would not therefore realise that the system was wide open.
The system in the OA was found using a search engine query from a random member of the public. It strikes me that the outer portal may have had a username/password challenge but that the files inside/cached pages whatever may have had incorrect file permissions/acls set by the original designer. As others have said, the original designer may have been the employee of a contracting company, possibly as part of a semi-shadow IT project (penumbra-IT?). The lack of a cynical BOFH type poking sticks at the thing just to see what they can see does strike me but perhaps they have been outsourced.
Perhaps certification of some kind for any application (business to business or whatever) that holds confidential information would be the best route? Ensure the ruddy thing doesn't leak round the edges in the first place. What I think I'm saying is that you need a technical remedy for a technical issue of design rather than a social remedy in the form of 'training' and the resultant dumping of accountability onto end users. A technical solution is applied once in the form of robust design. The social solution has to be repeated indefinitely and results in many possible points of failure.
Coat: Mine's the one with completion certificates from 9 (yes 9) mandatory training courses I have had to complete this year - I'm a teacher.
"Given that almost everyone in a council office is almost certainly working with a computer terminal at some point in their work and the fact that data security and breaches are so important and far reaching. I would suggest that ALL workers should attend an annual IT security course, sign to show they have attended and be held responsible for lapses like that in the article. No traini g certificate no work relating in any way to IT."
Staff do have to undergo IT security/data protection training on a yearly basis. At least they do at the Council where I work.
It would be interesting to know more details about how they "posted" these details.
What this suggests is that a file has been placed within their publically accessible web space, and then possibly indexed by a search engine.
However, there are a lot of questions over that. Firstly, how/why had it been put there? By who? For what purpose?
Or was it a sloppy developer who built a web application where it wrote files containing form data to the web root (yes, seen it happen) and those were indexed? Was it a developer, or a non-IT member of staff?
Fining people alone isn't the answer. Knowing about what has happened would actually help in situations like this, but no doubt they'll do some "investigation" and be non the wiser themselves. Each party will blame the other, etc etc.
actually gets to collect. But ONLY because it's a government body that's been fined, a local council.
So the council has simply coughed up to save face.
Yet the ICO are totally ineffective at collecting fines from cold calling companies who simply wind up the business, fuck off for a fortnight, then magically reappear with a new name and new director.
So, the council tax payer has paid the fine for them.
Great, thanks for that you set of twats.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
