Privacy watchdog the Information Commissioner's Office (ICO) has taken action against a local authority which lost two laptop computers, despite the fact that they were stored in a locked office and password-protected. The ICO has found that the Council was in breach of the Data Protection Act (DPA) and The Highland Council has …
It may sound harsh punishment.
Given they were password protected and stored in a locked room might seem sufficient but the ICO is correct in saying that personal data should be encrypted. Encryption shouldn't be optional, it does need to be mandatory with this type of data. That should be on all devices not just mobile/portable.
"... despite the fact that they were stored in a locked office and password-protected."
So what? That's the least possible amount of security. If you have a corporate laptop joined to a domain it will always require a password. And who doesn't lock their office? That's not securing data, that's just having a door on the building.
It seems entirely reasonable to expect them to better secure sensitive information than just to lock the door and have it on a laptop. They could only protect it worse by printing bill posters of the data and stickering them across the outside of the building.
ICO does something worthwhile for the first time in entire existence shocker!!!!
...meaning the absolute best case, assuming it's a bios password and being a laptop it doesn't let you reset it, is that the bad guys have to go to the "effort" of extracting the hard drive to get at the details.... not very good, is it?
I'll admit they were probably stolen for the kit rather then specifically for the data, but I bet whatever man down the pub techy they use to wipe them knows someone who knows someone who pays for that sort of thing...
punish the residents
OK, put aside the ins and outs of this particular case and just how many locked rooms a lappy with personal data has be stored in to satisfy this particular QANGO. Let's talk about what will happen in the future, now that we have been told the ICO are being given the power to levy fines.
In times to come they will have the right to extract money from transgressors. In the case of fining a local authority, just who gets hurt? Not the individual who's lax observance of the rules led to the lapse (well, they might get told how naughty they've been and please don't do it again, or we'll have to suspend you on full pay and send you to your room), as council workers are pretty much bullet-proof: short of causing people to die, anyway. Nor will blame be apportioned to the committees that came up with the inadequate security measures in the first place.
Given that in future those local authorities who are found guilty and fined for their shortcomings will not suffer the consequences themselves, it's hard to see what the point of punishing their tax-payers would be.
The fine will become the burden of the council-tax payers. It will reduce the council's available cash, so either they will raise council taxes to account for it, or they will reduce services to balance the budget. Given that they are not accountable to their "customers", who most councils regard as merely a source of never-ending revenue: it's difficult to see how imposing a financial penalty on an organisation who will just pass it on to the innocent, but easily-tappable residents would be any sort of deterrent.
Fair enough but still...
....I would bet that noone gives two tosses about the `sensitive` data on these laptops.... stolen laptop = 50/100 quid on street = easy money.
As for disk encryption , everyone knows its far far easier to get information from staff than an encrypted disk - do a good enough job and they'll email you a copy of most things you want to know, or give you their password. Or wait til they are logged on and then pop in to do some work on their PC as a techie, or whatever.
People are and always will be open to coercion and persuasion, computers ain't.
So if its got to be encrypted...
Logically that would apply to everyone's servers as well as they are just password protected in a locked room... Interesting...
Why is this news?
I used to work in local government. I can guarantee that this happens every day across the country to laptops in some council or another.
Oh wait, it's news because the ICO is actually doing it's job for the first time since it's creation. I'm sure it's a one off though.
I think this is a bit overboard. It's not like all the physical Doctor and medical notes are written in hieroglyphics or some complex encrytion. There was clearly restricted access to the media, yes it would be more effective if the content were encrypted but I don't think it's like the council were leaving memory sticks and laptops on tube trains. Ahem.
Numpties, plain ol' numpties ...
Governments want our information on a Database!
The ID Cards bit seems to have done a runner temporarily.
All that will happen is that the laptops will be encrypted (BTW, this is Microsoft's big seller for Vista Ultimate into government at the moment) and the password will be stuck to the lid.