A trade body has lost a laptop computer containing the personal details of 37,000 people and information on 1,900 people's driving convictions. The information was kept on an unencrypted laptop which was stolen from a locked vehicle. Repair Management Services of Blackburn has promised the Information Commissioner's Office (ICO …
Trade association ?
What was a "trade association representing car repair companies" doing with the information in the first place ?
I must take it that they have access to the DVLA database, or the PNC database ?
"I welcome the steps being taken by Repair Management Services Ltd and urge all organisations to implement the appropriate safeguards and training to prevent personal information falling into the wrong hands," said Poole.
"Repair Management Services of Blackburn has promised the Information Commissioner's Office (ICO) that it will improve its data security[...]"
ORLY?! How nice of them.
The quotes above illustrate perfectly why cluefree numbnuts like Repair Management Services and God knows how many civil servants (and private sector employees) in the past will continue to lose our data in pub car parks, leave it on trains or have it stolen from cars: because there are no consequences, and this sort of thing is treated like a non-issue. Let's face it: the ICO's response doesn't even amount to a slap on the wrist.
Unless the ICO comes down on these idiots like a ton of bricks, nothing will ever change in respect to data security. If it can't do this, they will need to be replaced with a less toothless organisation.
I'm thoroughly sick of this. And I haven't had a coffee yet.
What am I missing?
Why would a trade body for car repair companies have information on driving offence convictions for thousands of people in the first place?
Time saving exercise maybe?
I suppose it means DVLA doesn't have to think up fanciful reasons for giving it out now.
I'm sorry, but why on earth does a car repair trade association need data on the driving convictions of 1,900 people?
If I need a massive dent polishing out of the front of my car, why does it make a difference if it got there because I was drunk and drove into a wall, or some idiot hit my parked car?
Putting the issue of security measures to one side for a moment...
Why would a "trade body" need details of driving offence convictions, and the personal details of 37,000 people?
And why was it on a laptop in the first place?
Also, until companies start getting properly fined for stuff like this, they won't bother to act responsibly. The worst the ICO seems to give out is a mild rebuke, which is just not good enough.
Why would they need such data?
Why would a trade body representing vehicle repair shops(?) need to have data containing details of driving convictions? I am sure there is a logical explanation.
No later than next March?
I'm sorry, no later than next MARCH?!?!
Not "oops, we lost some data, we'll encrypt the laptops next week", but "yeah, yeah, give us half a year and we'll sort it. Honest."
OK, so some retard forgot to encrypt it in the first place - mistakes happen. Now they know about it, just do it on Monday! Not sometime before March!
I don't get it. The public sector (and their contractors) seems to approach IT entirely differently to the rest of us. I'm a contractor approaching 50 and in all the places I have worked, not one would allow a database of sensitive data to be copied onto a notebook and taken outside the confines of the organisation. There are ways of moving sensitive data between sites or for accessing information when away from the office but copying data onto a notebook which is then left in a parked car is not one of them.
Every few months, we hear how public sector organisations lose sensitive data and, despite announcements of measures to be taken, the situation is not improving.
Perhaps the sensible approach would be to apply military classifications to all sensitive data in the public sector, with the accompanying penalties associated with mishandling classified material.
Essentially there's no reason to bother implementing encryption and other security measures until after you've lost a load of data, then you say sorry, and promise to do differently in the future.
Substantial fines in addition to being forced into making changes are needed to make outfits take appropriate meausres _before_ they lose any data.
Idiots with our private data
At least we're all clear on why a "trade association representing car repair companies" requires information on peoples driving convictions. Aren't we?
here we go again
Are the people looking after the public's data just incredibly stupid, or do they just not give a shit.
DONT THESE IDIOTS GET IT, ENCRYPT OUR DATA, ITS NOT ROCKET SCIENCE FFS!!!
Aren't we lucky
That our standard crim's (toe-rags) are just interested in the hardware and have no interest in the data at all. Its just £100 down the pub.
of course you can't rely on the police for help... except if you are desperate for a crime number which they will happily oblige you with.
Suck on this data protection officers
Does an organisation representing the motor repair trade have all those details? Surely it is NO business of theirs if I have a driving conviction?
Once again the ICO have failed to act properly. There is NO excuse for this happening. Any company that treats this sort of data with this level of contempt, and it is contempt, doesn't deserve a light slap on the wrists and a telling off.
And cloud would be better?
Ah well, just wait until the Tories get in and put ALL our data up in the clouds.
Then it will be someone else's fault who 'loses' all the personal info and no blame on who put it there in the first place.
Not really being taken too seriously is it
Perhaps that's because the ICO have clocked that to enforce data security without stopping the flow of information, there has to be a half-decent computer system in place. Which means the underlying business has to be well understood. Which means it has to be understandable, i.e. organised. For the public sector, that bar is too high. The idea of actually enforcing the rules clearly doesn't carry much weight, leaving the ICO to hand out meagre, ineffective penalties.
In other words, I can see the ICO being told not to come down too hard on gov, as there's no hope of them fixing anything quickly anyway. The MVRA are a trade body, so not public sector, but by a very broad definition, trade bodies are still part of the machinery of government. Is this why they got off so lightly?
All complete conjecture, but the story smells. Even though the ICO have a rep for letting everyone off lightly, this seems like a cast-iron case for setting an example, and they let it slide.
To add to the questions
Why did a trade body have such info?
This seems like the opportunity for a good bit of investigative journalism El Reg, I can't think of any good reason for them to have such private information. Perhaps the DVLA has been negligent?
Here's a thought...
The individuals are prosecuted and spend a minimum of 10 years in prison.
The companies are fined 90% of turnover or £10,000,000, whichever is greater.
Directors of the companies are banned from being directors.
I don't which organisation is my lame, the people who lost the data or the ICO.
Many complain (sometimes myself included) that penalties for driving offences are too lenient.
Having your personal life exposed to everyone from "Trade Bodies", to chavs, to the Russian Mob seems like cruel and unusual punishment to me, though.
Well the Tories..
....have said they will get rid of the Quango's.
If companies are allowed to get off all the time, I'd rather not fund the jobs for the boys in the first place.
@ Frank Sattler
"I'm thoroughly sick of this. And I haven't had a coffee yet."
Hmm. It doesn't seem much better after coffee.
This shower of useless wankers should be being prosecuted!
The bigger question
is why are the insurance companies giving conviction data to a trade association. Either that or they are getting it from the Plod.
If you declare a speeding conviction to your insurers that should purely be used to assess the risk on your policy and should not be given to the local panel shop. Additionally as almost all insurance companies now ask about all convictions or pending trials it wont just be motoring conviction data they hold.
Nice to see the ICO rolling over and doing nothing and as for giving them until next March to encrypt! WTF how many laptops do they have to encrypt?
Something is missing here, and its a lot more than just a missing laptop.
Black helicopters - for obvious reasons
Sackings need to continue
Until the data is secure.
No, wait... have a warning, no doubt delivered with a stern glance over the top of the spectacles.
I'm also questioning what the fuck they were doing with it in the first place. It's bad enough various quangos wandering about with our details without private trade bodies getting hold of them as well. Conviction data is especially sensitive; handing it over to private persons who will probably retain copies of that data long after the Rehabilitation of Offenders Act kicks in (five years for most motoring offences) would seem to cause all sorts of problems and complications. A case for banning the distribution of motoring conviction data in this manner could probably be built from this point alone (IANAL, YMMV, SWW etc).
Those of us who worked for BT in any capacity (back when they were still British Telecommunications) will remember having to sign the OSA as a condition of employment since we had various duties and abilities that brought us into contact with sensitive data. The penalties for misusing this access were pretty severe, which was stressed quite clearly and repeatedly. This used to be the standard for dealing with private information. Now it seems all and sundry have access to unheard of amounts of government-sourced data, spread around on things like personal laptops, pen drives, CD-Rs and so on and all they'll get if they misuse or misplace that information is a stern look from the ICO, as toothless an organisation as the rest of the quangos.
It's about time the civil servants who steer this sort of policy (you're a little naive if you think it's that shower of cretins we "elect" from time to time) got a grip. The DVLA also need a swift kick up their collective arses as this is the umpteenth time I've heard about driver details being misused or misplaced.
Can't wait for UK ID cards
Why they have it?
Possibly because repairers offer courtesy cars and need drivers details inc convictions??
Although why give these details to a trade body???
Obviously there is the question of WHY they had the information in the first place, which I can still not think of any valid reason.
Then there is the separate question of WHY it was being transported anywhere. On a laptop?
This is then 'discovered'.
The ICO have to then go through various processes and see if the story was true and basically run an investigation into how much data, just how personal was it, and any(?) security, etc etc etc.
How can this not be in our best interest to not punish them severely for something like this?
Is the trade body paying all the costs involved to the ICO at the very least?
What about all the poeople who's details were on the laptop? Have each and every one of them been contacted and been made aware of what's happened? If not - why not?
Isn't the DPA a "law"
Meaning that breaking it is a "crime".
And when the police find out that a "crime" has been committted, doesn't the CPP get involved?
Leading to convictions, fines, jail time etc?
So why *is* the DPA never enforced?
The ultimate blame ...
The ultimate blame goes to those who are putting sensitive data into the hands of those who are incompetent or are not to be trusted with it.
Recipients should be treated as untrustworthy by default and not handed sensitive data unless it is demonstrated otherwise. Unfortunately those handing out our data are either too trusting, simply idiots, or don't really care - I'd venture all three.
The ICO shouldn't be just looking at failures but the background to them.
...no later than next March..
Oh that's alright then.
For a minute there I was concerned they weren't taking this seriously.
Encrypt or pay!!
We really need laws on the books requiring encryption of all machines that ever leave a secured environment, with significant financial penalties for failure to do so (say, $5000 per person whose data is exposed due to losing an unencrypted data device with their info on it).
Encryption is FREE, TRANSPARENT AND TRIVIAL TO IMPLEMENT. There is NO EXCUSE not to encrypt. NONE. The only explanation is pure laziness and complete lack of concern for the security of the data on the machines. Seriously, go download a copy of Truecrypt, full boot drive encrypt, done.
So why *is* the DPA never enforced?
Because this entire country is a joke and everyone has a sense of humour, so why would we take anything seriously?
RE: Here's a thought...
Exactly what I was thinking. This "Trade Association" or whatever the hell it is should no longer exist, everyone whose details were leaked should be compensated and those who are responsible for the data loss should be in prison.
There is absolutely no excuse for this and there is no reason these criminals should have been given any data in the first place.
this is from the ICO's website (couldn't find one for the other numpties)
"Satisfied with our service?
We aim to give the best possible service to all our customers in all of the services we provide. We publish information about the service standards you can expect in some of our key business areas. You can also get this information from our Helpline on 08456 30 60 60 or 01625 545 745. If you are dissatisfied with our service, you can complain. You can also let us know if you think there is something we have done well."
Well, I for one am going to complain as I don't they have done well at all. Toothless idiots...
Trade body loses laptop....
Accept NO excuses.
I say, take the b@st@rd$ out, stick them in the stocks, and flog the hell out of them every day, until the laptops are encrypted.
That ought to send a message.
Encryption is a red herring.
Don't take the sodding data off the sodding server and out of the sodding office in the first sodding place.
Isn't it that simple?
You probably won't
want to read through this then:
So how will this trade association handle every one of us making an FOI request?
"I understand that you recently lost personal data which may include data about me. Can you therefore tell me what information you hold about me on your systems?"
Of course the answer is none because they lost it all
Could someone on your side of the Atlantic....
...please inform the Information Commissioner's Office (ICO) that "DATA ARE PLURAL"!
"In particular the computer held data which *was*..."
Apparently MVRA were part of Capita (http://www.mvra.com/press/press2007/capita.htm) until RMIF bought them in June this year (http://www.am-online.com/news/story/RMIF-swallows-up-MVRA/42900209)
So is this just another complete fuck up by the incompetent morons at Capita?
If so what the hell is the ICO doing sitting on its arse and telling them off. Or do Capita have a special exclusion and are allowed to repeatedly fuck up in each part of their company.
It's Capita - no surprises there then
Capita acquires motor trade body - http://www.capita.co.uk/media/Pages/CapitaacquiresmotortradebodyandaccidentmanagementspecialistMVRA.aspx
Also gives and indication that the data would have been used to detect insurance fraud.
Probably isn't correct anyway
The car was an insurance write-off, not a repair, and there was a cock-up over paperwork, so it got scrapped before the insurance valuer got around to looking at it.
Another of their duties under the DPA is to ensure the data is correct.
Has that one ever been prosecuted? It's not just the civil offence of libel.
"Are the people looking after the public's data just incredibly stupid, or do they just not give a shit."
That's a very narrow-minded either/or perspective. You are neglecting the possibility that they may be both incredibly stupid AND that they don't give a shit, which seems quite plausible