Two councils hit with big fines for laptop blunder The UK's information watchdog has slapped two London councils with hefty penalties for failing to encrypt personal data on laptops that were stolen by thieves. Ealing Council and Hounslow Council were both found to be in serious breach of the Data Protection Act, ruled the Information Commissioner's Office today. It said two …
..that the incidents, after thorough investigations, should result with fines against individuals that are responsible along with enforced changes to organisational policy with spot-checks thereafter.
Fining only works at organisational level for private enterprise but takes the piss with the public-funded sector.
"Hello, public? Yeah. You appear to have had your personal data stolen. This is going to put you in danger of ID theft and various potential ills, so watch out, and keep an eye on your credit reports for any loan applications taken out in your name. Please accept our apologies. Now listen, there's a fine payable for this, so if you'll just bare with us for two moments, we'll work out your share and arrange for you to pay us via your next council tax bill".
Personally, I say bring back hanging.
The idiot with the laptop? Not really their fault, they are unlikely to know better the laptop required a password to access they almost certainly thought that was enough.
The idiot who gave them the laptop? Maybe, but probably not they are almost certainly working to a policy.
The answer is to sack the person in charge of data protection, the person responsible for writing the data protection policy or the person that should have employed someone to be responsible for a data protection policy.
I agree there's no point in giving the council a fine, reserve that punishment for businesses, if you fine a business then the CEO doesn't get a new Jag this year. If you fine a council the only people who will lose out are the residents either financially or as a result of a loss of service.
Actually, it's frequently the case that the Data Protection Officer or similar doesn't have the authority to mandate particular security measures and even more frequently it's those in charge of the IT budget who are obstructive. "We don't have the budget" is the most common refrain, especially if it would take a ludicrously expensive change request to the outsourced service provider to get anything done.
A few years back I was working in a reasonably high profile public sector watchdog organisation with access to some extremely sensitive data. My manager and I could emphasise the need for encryption of all laptops till we were blue but were told no. It was the Head of IT who actually said "It's too expensive, too time-consuming and too irritating, so we're not going to do it". Fortunately (in a way) the HMRC data debacle happened the next week, so that position had to be reappraised.
High profile losses and fines do actually serve to force other organisations to get their houses in order and the fact that the ICO is levying fines might help - though the lack of custodial sentences means that the deterrent effect is still limited.
It's all very well to harp on about firing the DP person, but I suggest it would be more appropriate to investigate each incident first, find out who acted against policy and who failed to put decent security in place, who didn't act on proper recommendations before calling for your pound of flesh.
Or are they like some other councils who outsourced it all when that was the rage and are now reliant on advice from a commercial organization?
If it's the latter I do hope we'll be seeing the councils suing said commercial organization for failing to properly advise them on both security and the potential penalties for failing to secure.
What do you mean "Did I see that pig?"...
So now I have to technically pay for this cock-up through my taxes?!
Why can't you just sack the muppet who lost the data or sack the muppet in charge of the plank, who lost the data?
Fine a cash-strap council makes no sense. Oh, of course this is local government, nothing makes much sense!
Someone should be sacked and/or jailed over this. The fine is adding insult to injury and amounts to the ICO stealing from taxpayers in those districts.
This would have worked out better for those hit had the ICO not been involved. Perhaps someone from the ICO could explain why they are stealing tax payers money and where it is going?
And I agree that the person who put together the data protection policy should go, but it seems to me the point of the fine is to send a message to other councils etc that this is an area that they need to improve on or they will end up paying (and getting a lot of bad press)
If this fine means other councils get their act together then it is an acceptable burden on the taxpayer. Of course, sacking the policy person would also be acceptable.
So why would another council be worried? If another council fucks up they get their budget cut and spend less on steetlighting, or doing up the local community centre or whatever. Then the residents get pissed off and... what exactly? Move? Since you are forced to pay council tax to the council where you live (which does make sense, I'll admit) there is nothing you can do.
Even if you vote out one mayor, for example, the next will inherit the same pricks that lost the data for the last one.
The only problem is that, sadly it will make absolutely no difference to other councils for the very reason that it had no direct impact on the council itself.
Councils (and other publicly funded bodies) are just like children in that respect, if you fine the parents when a child is bad it does not educate the child as they see no connection between their actions and their parents' punishment.
If you want to educate the child(council) you must directly affect them by withdrawing something they value until their behaviour improves. Perhaps for a council you remove council-provided facilities such as travel allowances or parking rights for the offending person and the two/three steps up their line management to inconvenience them and let them feel the frustration that carelessness can cause or worse still you could have them get independently clocked in/out on a daily basis and work in an open office so that everyone can see their shame, and they only get paid for the hours they attend.
It has been known for a very long time (well in excess of 5 years) that it is a bad idea to have confidential information available on insecure laptops.
5 years is more than enough time for policies, procedures, training and compliance processes to be put in place within public bodies to secure data on mobile systems. If it can't be 'adequately' secured then the system should not be used - simple! Failure is not an option.
Failure to have these systems in place should be made a serious criminal offence. in the event of loss of information and investigation shows individuals to have been responsible then significant personal fines and Gaol time should be available penalties. Bollocks to the 'Oh, it was just an accident' defence.
If I lose significant client data, I am suspended and my contract terminated for gross misconduct. No 'Ifs, ands, buts or maybes'. I make sure I don't have the opportunity to lose the information!
Bleeding hearts who make pleas on behalf of ignorant fools who lose personal data upset me mightily. If you need a tool to do a job then you should know how to use it - just like a chains saw.
In Belgian law, there is a legal status of "extended minority", meaning that someone is still officially a child despite being born a sufficient number of years ago that they would otherwise count as an adult (usually used in cases of severe mental handicap).
If only we could have something like that here, for people who aren't ready to be unsupervised when doing things that might affect the public.
even though I have no idea what the data was for , or the way their system operates, I cant see any reason for that amount of data to be on one persons laptop .
and yeah someone should be sacked , hard to say who , but if they have no policy of encryption then someone very high up.
There are dozens of good reasons why that could be... A Social worker who is on out of hours duty call for a large area could easily have to have basic detail on that many clients, if its only at the level that so and so is a client. And if you are out on the road then its going to be very difficult to find a Government Connect approved link, so you won't be able to get into the on line system, even if it is 24*7 supported (unlikely - budgets) and guaranteed to be available when you need to find out if Mr X has a history of beating up his current girlfriends little children or Ms Y has tendency to feed the kids smack if they wake up and cry in the night...
"here are dozens of good reasons why that could be... A Social worker who is on out of hours duty call for a large area could easily have to have basic detail on that many clients, if its only at the level that so and so is a client. And if you are out on the road then its going to be very difficult to find a Government Connect approved link, so you won't be able to get into the on line system, even if it is 24*7 supported (unlikely - budgets) and guaranteed to be available when you need to find out if Mr X has a history of beating up his current girlfriends little children or Ms Y has tendency to feed the kids smack if they wake up and cry in the night.."
All very worthy
So why not fit *all* office laptops with something like truecrypt and either assign and change the passwords on a regular basis (not letting staff change their own) or explain in detail what happens if they forget it.
The councils ballsed up but we end up paying the fine. Why doesn't the ICO name and shame those responsible for the balls up and hit them with a fine?
Because it doesn't have any balls. Sure it can fine a council or two and the odd hospital but when it comes to businesses, the ICO's balls suddenly go missing.
As I've said before, the ICO is unfit for purpose. Lacking guts and balls, it is an irrelevance that should be terminated and a new, appropriately staffed and powered body put in its place.
As AC above says: "5 years is more than enough time for policies, procedures, training and compliance processes to be put in place within public bodies to secure data on mobile systems."
It isn't rocket science.
I can't reconcile this decision to fine the council with the ico. decision to let BT off completely. Ealing council had a policy which employees did not carry out. According to the BT/ACS:Law case, then the ico. should have declared that a matter for internal discipline of the employees. Or is it one law for a local council, and no law at all for a large national Telco?
Ealing being the council which two years back lost all their IT systems to an infected memory stick, including Cisco telephone system for the best part of three weeks because, as I understand it, they hadn't updated their anti-virus protection for five years let alone partitioned the network or taken any of the other basic yet essential precautions.
But in the world of public sector mediocrity, unlike that of greedy bankers, it was just one of those things that happens to every large organisation sooner or later according to Ealing councillor Phil Taylor (http://philtaylor.org.uk/?p=2282). The IT manager who presided over this didn't walk and is presumably still in line for a golden handshake and 2/3 final salary pension at the council tax payers expense.
As most of the posters above say, a fine punishes the innocent taxpayers, not the council. Several have demanded that offending council employees should be dismissed or otherwise disciplined.
One poster (Qtoktok) suggests "it would be more appropriate to investigate each incident first, find out who acted against policy and who failed to put decent security in place, who didn't act on proper recommendations".
Imagine the process necessary to sack a council employee. Think of the numerous well-populated meetings that Qtoktok's investigation would entail. (Can't you just tell he's worked in the public sector?) The eventual cost of all these suggestions would make the ICO's fines look trivial. And who ends up paying? We do.
The only answer is to curtail the scope of government. When councils just did bins and drains they were cheap and relatively trouble-free. But that's a larger issue.
Yep, that would work... Provided of course you can make " s*** happens " an approved and acceptable response when ever journalists come round and they and their interviewees complain about little disabled Sara not getting a special school place, or Ms X losing another baby to the latest violent boyfriend or Mr Smith trashing his nice alloy wheels in a pothole or all the other stuff...
Unfortunately these days its always "something must be done". And doing something costs money...
Never again.
Let the IT ignorant f*****t who has sign off authority make the decisions and live with them.
I'll tell them they have a problem and what will happen if they don't handle it.
"It's just one of those things"
No you w***er it's your failure to plan.
I guess having a "responsible" job is easy if you have no actual sense *of* responsibility.
I'll dowse the flames and return shortly.
To allow for the fines to be deducted from the pension pots of the heads of department and the Chief Executive(s) of the council and if any consultants or other organisations where involved in the policy/process for them to be fined as well.
That way even the kevlar proofed life time civil servants have some accountability and feel the pain of there errors.
No, encrypt /all/ the data on the laptop, not just the client data. If there's one thing that's going to stop people using encryption systems on their computers it's having a "please enter password" box pop up for EVERY SINGLE SODDING BL***Y FILE they try to open. Encrypt the entire olbdyo device, return-to-maintence lockup after 3 failed logon attempts.
Why doesn't the ICO fine the Council CEO out of his/her salary? It's mostly big enough to take a bit of incompetence now and then.
But if it starts to happen too often, it might cause a flicker of interest as to what's going on in the ship, and provoke some cracking of heads of those planks that are reducing his/her income.
Focusing the mind of the responsible person while on the golf course could be a way forward to the dramatic improvement of departments.
Councillors responsible for failing areas could get censored too, although kicking them out of public office for a while would be more appropriate seeing that they are non-salaried.
We need an cute acceptable buzzword for a scheme that is the opposite of bonus to be implemented where negative results are achieved - and not just for Council CEO's either!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
