The London Borough of Kensington and Chelsea has revealed that staff have had data on children stolen on three occasions, including twice in pubs. In response to a freedom of information (FoI) application from BBC Radio 5 Live's Donal MacIntyre programme, the borough said a social worker had taken papers including court reports …
I'm not sure what's worse - that the data is treated in such a cavalier fashion by half of the Boroughs contacts, or that almost all of the other half don't even fulfill their legal duties under the FoI Act.
They did all reply, it's just that some responses were lost in the post
Mine's the one with....hang on, it was there a minute ago...
......how hard is it to run a Gutmann level scrubber through a computers hard disk before disposal.
Also, why are government departments letting people go out on the piss with the work laptop?
Surely there is a problem here, a coffee shop I can handle but going to the pub with a laptop containing sensitive data should be a sackable offence.
Then again I've seen teachers lose countless laptops through stupidity, like leaving it in the car in full view and expecting the unscrupulous youths not to smash a window to get hold of it, after having been warned said muppet does the same thing the following year.
In the end they started getting the junkers because they were too thick to look after them.
This proves once again that UK is a complete and utter joke, and this creeping extension of the local councils into becoming a major part of the State security apparatus is a snowballing disaster of epic proportions.
The “nothing to hide, nothing to fear” brigade – they do have something to fear, the incompetence of the local authority idiots who have been unnecessarily given far too much access to far too much private information, and then the possibility to leave it in the f*cking pub!
Unlike private companies – if this lot mess up, you can’t sue them for identity theft etc. You’ll even be hard pushed for them to even admit they messed up. Once upon a time, heads would roll and people would be fired for this sort of thing. Nowadays it’s just a slap on the wrist and don’t do it again.
I work on the continent. I show stories like these to my colleagues – they always do good goldfish expressions. It’s on a daily basis that the UK State machinery is embarrassing itself.
Here’s an idea. We now have fully automated fine systems. Stop and/or drive your car in the wrong place for 2 minutes, and whammo – instant fine in the post. The local authorities should have the same. Lose someone’s private data – and whammo, instant fine – with the victim getting the cash. Sliding scale for seriousness, obviously. Some might argue this is pointless, as it’s the council tax payer who will suffer. Well, they’re already suffering – and those who are creating the pain aren’t feeling any pressure. Council tax bills start ramping up, trust me – that’ll shake some of the complacency out of them.
So, always in pubs ?
"The London Borough of Kensington and Chelsea has revealed that staff have had data on children stolen on three occasions, including twice in pubs."
If I lived there, I'd be mostly worried than it occured to the Borough staff twice as often in pubs than anywhere else.
Not jumping to conclusions, but why never in the supermarket, or in their car, eh ?
The Security Mindset
Thanks to Schneier's Crypto gram for the link...
All persons that are charged with any responsibility for Private Data, should be forced to go on one of these courses.
For those of us that are involved in the various branches of Security, these lapses by civil servants (and other than them) seem so obvious that it hurts - but most of these morons don't even see it as an issue (re-read the responses from official-dom to any data-breach i.e. "The laptop was secured with a password").
Don't give 'em laptops
Why give these morons laptops in the first place?
Make 'em use desktops, in the office only.
Much less chance of losing sensitive data.
"Lost", yeah, of course. Pubs are very easy places to lose sensitive information that you have no reason to take out of work (work from home? these are council staff, they don't even work from work). Particularly when you're distracted by the guy in the trenchcoat and fedora sitting opposite you.
In unrelated news, Kensington and Chelsea private investigators have lost three brown envelopes stuffed with cash recently.
Outlaw "working at home"
Took work home in order to brown nose the higher ups? Bang! you're fired.
Allowed or encouraged an employee to take work home? Bang! you're fired, and the employee is owed serious overtime payments before leaving.
Turned a blind eye to an employee taking work home? Bang! you're fired.
I'm quite serious. Not only would this help with security of data, but would also help reverse the rising tide of "all your waking hours are belong to the company."
What I really wonder is how much work is actually done at home?
Paris, because that girl makes sure she gets paid even for attending parties. Must be a nice job if you can get it.
Responsibility and ACCOUNTABILITY
There appears to be a serious and general misunderstanding of these terms somewhere. If people are allowed to carry information on laptops or portable media it is likely that what they are actually carrying is likely to be an archive of everything they’ve ever copied to their laptops. By what authority do they take the data? Have they agreed and signed a document defining their authorities and responsibilities?
How many processes are in place to ensure that ‘data taken yesterday' will have been a) returned (unchanged or edited)?; b) purged after the individual's return to the office? I bet there are few security processes in place to track the use of sensitive data. Dissemination of data to third parties should be also be specified/recorded and appropriate safeguards for tracking such data assured.
I'm deliberately ignoring the question of protection and encryption because what matters is that data has been 'lost' and, and therefore by definition, compromised. Encryption might be equated to the use of ABS systems on cars – useful if you get in to a difficult situation but hopefully should only be applied in dire circumstances. It has been shown that advanced vehicle safety systems tend to reduce the perceived ‘responsibility’ of drivers.
I will mention the question of 'sensitive' data. The classification of data should be approved in all cases and means of tracking the use of data should be in place according to the 'sensitivity' of the data. How often is data sensitivity determined, and by whom? (Who watches the Watchers?)
Back to Authority and Responsibility; if an individual has the Authority to remove data from the workplace that person should be endowed with, and respect, obligations to demonstrate their Responsibility that data. Acceptance of and compliance with such obligations should be reinforced through the medium of legally-enforceable documents or other sanction mechanisms
The general problem appears to be that certain organisations and authorities employ uncaring, overloaded, thoughtless, untrained or indifferent individuals who don’t recognise or respect or have forgotten their responsibilities. (E.G. Trust me – ‘I have an important job and know what I’m doing’). Furthermore I suspect that follow-up training and renewal of approval is not carried out in an effective manner. When organisations are short of cash or resources training and security are the first victims.
Responsibility should not have a ‘glass ceiling’. Ultimately it is the senior person, the security officer, the CEO, MP, ministry official etc. who has personal responsibility – beyond that, the organisation paying for the service (the customer at the top of the pile) has a responsibility to ensure, through repeated audits, checks and balances that their suppliers or contactors are ‘doing their job’ properly and are meeting all obligations. This, of course, requires the ‘customer’ to provide unambiguous, atomic, requirements to be met in the first place. There is no sin in admitting that such requirements need to be revised from time to time and costs may accrue as a result but hey, these costs have to be borne somewhere – and certainly not by innocent victims of such failures.
The recent changes in law regarding ‘corporate manslaughter’ might provide a precedent.
End of diatribe.