Scumbag who tweeted vulnerable adults' details is hauled into court A man from Kent, England, has been prosecuted under the UK's Data Protection Act for leaking sensitive police information on Twitter. William Godfrey, 30, of Bethersden, tweeted the personal details of a vulnerable adult after obtaining a USB stick belonging to his former partner, a probationary officer, containing the private …
Probably not a good idea, I'm wondering what his terms were ? Maybe trying to get them to prosecute the idiot that had this info on a non secure USB stick ?
'after finding the information on a USB stick belonging to his former partner, a probation officer.'
Someone else also needs a meeting with the ICO!
You need to read up on the DPA and, especially, GDPR (which is really just a formalisation of what the DPA case law already establishes).
If you have personally-identifiable information on a machine (or now even on paper), it's subject to the DPA and is most definitely an IT and HR issue. As in... she shouldn't be allowed to use a USB stick, shouldn't need to write up notes at home, certainly shouldn't be doing so except on encrypted and controlled devices via encrypted and secured channels (e.g. remote desktops over VPN).
It is most definitely an IT issue for there to be an unencrypted USB stick wandering around with any kind of information gathered as part of someone's job. Whether you like it or not.
P.S. DPA has always had, and is now formally codified as having, personal liability. Not only her, but YOU as the IT guy can get fined, as well as the company, for not knowing this.
"shouldn't need to write up notes at home"
Shouldn't but she might have one of those jobs were they expect you to finish your job in 40 hours even if it takes 50 hours to do and you have to work of the clock at home . Which might explain why I've not read were she was punished. because to do so would open a can of worms .
"shouldn't need to write up notes at home""
Ha ha ha ha ha haaaaaaaaa
I suggest you never met a social worker in your life then?
Somehow they are expected to drive an hour to each case (3 or 4 in day) talk to the people (another 3 or 4 hours) and then document every tiny detail in case it gets dragged up in court (you know things like didn't seem to be any toys in the kids room; parents rooms immaculate, rest of house shit hole; bins not emptied, clothes badly fitting, odd socks, poor teeth, scratch on left arm, child edgy).
Now try doing that through piss poor IT system, you know, the sort you have to type up in 3 different incompatible systems, where some dickhead IT "security" guru has disabled copy / paste, or where mangles carriage returns.
People like this would rather not work at home till midnight, but the IT systems are so shockingly bad and the workloads so high, they have little choice.
Oh and when you are visiting a "client" how to you propose you pull up their records? Using their WiFI, hoping they can tether and get a decent signal from their poundland 5 year old "smart" phone?
Remember every detail about the person you saw for an hour 3 months ago (having seem another 100 since then?).
Yes the should be encrypted, but saying crap like "shouldn't write up at home" shows you live in la la land and not reality.
Not only her, but YOU as the IT guy can get fined, as well as the company, for not knowing this.
No, you can't. You could be penalised for not having appropriate policies and training or for demonstrable negligence, but any attempt to impose absolute liability runs slap bang into Wednesbury Unreasonableness.
So long as the person in question has been clearly instructed not to record data in an insecure manner you (as the IT guy) have an absolute defence regarding anything that person gets up to on their own premises with their own equipment on their own time unless it can be conclusively be proven you were aware of it or could reasonably be expected to be aware of it without breaching your own obligations regarding employee privacy, particularly in respect of personal equipment and premises.
GDPR won't change that since it is a basic principle of Judicial Review, not a technical point of statutory interpretation. While it is true that Parliamentary Supremacy means that the Judiciary cannot overrule the Legislature when two points of law come into conflict the courts can decide which one they are going to uphold.
Defences in contract and tort are similarly robust since enforcing the data protection policies in all cases would require actions that exceed the legal powers of an employer and any contract or tort fails if it's fulfilment requires an illegal act (e.g. spying on employees).
"or could reasonably be expected to be aware of it "
Such as, for instance, ensuring that you run industry-standard software to stop unauthorised devices on the authorised machines.
"Reasonable" in terms of data protection has included - in case law - things such as reasonable preventative measures to ensure compliance with your verbal "don't do that"'s. Saying "I told them they should have a password" just doesn't pass muster any more. You have to show that you've enforced that and are aware of those exceptions. To not do so is negligent in your data handling duties.
It's also been a factor that you can say "we don't allow that" until the cows come home - but the courts only consider it reasonable if you're also CHECKING that it's not possible, and that people aren't doing it. You can only do that by putting in, for example, device and data control systems. Courts deem that to be the "reasonable" measure, not "Oh, well, it's Sheila, we did tell her".
The fact is - this is all a consequence of DPA case law, where the definition of reasonable has been decided by a judge but not written back into law. GDPR is an attempt to codify that case-law back into actual words.
Hint: An NHS trust was fined for NOT BEING ABLE to prove that a lost disk had been encrypted before it left the building. Not that it WASN'T encrypted. Not that it wouldn't have been expected to be encrypted. But that they couldn't definitively prove that it WAS encrypted BEFORE it was posted and then lost. Case law is not on the side of liberal interpretations of "reasonable" here. Even *potential* for someone *unauthorised* (i.e. not necessary for their job) to see any amount of personal data that they don't need to see as part of their job, can be interpreted as a breach. i.e. that there was even a brief window of opportunity for Fred Bloggs who works for the company to have BEEN ABLE to log into something that might have given him more info than was strictly required for his job? Fineable offence, including personal liability of whoever facilitated that.
You can scream "but nobody ever would prosecute for something so minor" until you're blue in the face, because that's not how the courts are interpreting it.
Take an example: Some minimum wage phone operator sells on your customer list to a rival before they leave. It's STILL a breach of the DPA, even if you told them not to do that, even if their doing that was a breach of everything in question, and even if they were authorised access to those records as part of their job. You will still be fined, as a company, for a) it happening, b) allowing it to happen without a reasonable safeguard against it. It really doesn't matter what THEY do, which is the essence of the whole problem. They just shouldn't have access to anything they could do that with, or be able to splat that information about willy-nilly and you need to show reasonable attempts to control that data (which doesn't wash if you just say "Oh, well, they had an Excel of every email address"... the next question the court asks is "Why?" and "How did they get that?")
that there was even a brief window of opportunity for Fred Bloggs who works for the company to have BEEN ABLE to log into something that might have given him more info than was strictly required for his job? Fineable offence, including personal liability of whoever facilitated that.
That all revolves around office systems and centralised data stores and that wasn't the point I was discussing. If a probation officer or social worker (etc.) interviews a client and then decides to type up some notes at home on a personal laptop and save them on a USB stick then there is no liability applicable to corporate IT personnel. The DPA, Computer Misuse Act, ECHR and several other statutes operate in the exact opposite direction - intrusive measures designed to monitor employee actions when they have a reasonable expectation of privacy are likely to be illegal and trying to monitor an employee's own devices in their own home is clearly a criminal act (forget fines: gaol time).
The one thing you can be sure of is that the courts will never extend the definition of "reasonable" to include breaking the law so you have an absolute defence if you establish that the steps necessary to prevent a breach would themselves be illegal.
In fact that was pretty much the threat,
Surrey Police produced the document containing the personal details of no less than 40 individuals including rape victims, victims of abuse and vulnerable adults.
It was then disseminated around no less than 30 individuals who were not Police officers and had no need to see the document, it was then disseminated externally.
In June 2014 i reported the breach to the ICO then chased them up in August October December January 15 and then after i broke up with my partner one of her colleagues returned my stuff and in it was the USB stick with the files on it. During this time further people without a need had seen it. I contacted the ICO and IPCC who said they did not intend to take any action.
Five years or even ten would make no difference.
Prison sadly is not a deterrent for the stupid, as is evidenced by the high repeat offending rates. There's little robust research on what might be an effective deterrent for such people because the only allowable choices are clink, fines or "education & rehabilitation" all of which have very limited success, even where they've really tried the E&C approach, as in Scandinavia.
Personally, I'd be quite happy to see the stocks brought back, and let him sit in his own excrement for a week whilst being abused and pissed on by drunkards. Probably still not a deterrent, but a suitable and inexpensive punishment.
Then Surrey Police have seriously misrepresented the case to the court in order to cover up their incompetence (not unusual in my experience) AND the ICO has gone along with it (The ICO has a credulity issue, often resulting in cases taking many times longer to solve than they should because they keep believing what the officials tell them when there's evidence to the contrary and pretty much have to have that evidence rubbed in their faces.)
The outcome of a case like this (which appears to be 'someone's attempted to whistleblow and demanded action or he'd hand it to the media') might not be what the ICO and Surrey Police were expecting.
IE: In future cases someone might skip the whistleblowing stage and simply go straight to the media, explaining how it got circulated around unauthorised persons and those with no justification to possess it before falling into his hands.
One assumes there was a world class "public defender" appointed by the court and there's no way of appealing.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
