Barnet and West Sussex breach DPA
The Information Commissioner's Office has taken action against Barnet and West Sussex councils after the theft of IT containing sensitive data about children. The watchdog said that personal information about children had been lost by the two authorities because of a "systemic" lack of staff IT training. Both councils were found …
Wont someone think of the Children?
*rolleyes*
they don't get overtime for working from home, if they are overworked enough to take the work home then it is time to get someone to help out. Taking work home is not an option except for emergencies .
why do they need the private data of some many people, to be copied into their home PC? that is the real question that I'd love to get the answer for.
I think you need to try working for the public sector and experience some of the targets, deadlines and pressures and then you might see why your first paragraph is so very wrong.
Find me a local authority that doesn't have an it department that could advise on the safe handling of such sensitive data. I think you need to read the data protection act and see why your attitude (don't blame us we're busy) is so very wrong
It's definitely part of it, but the more of these I read, the more I'm thinking that no amount of training is going to fix this. Even if all staff were bred to paranoia level about data security and used quantum encryption, there will always be the one time they forget.
A deeper question needs to be asked - why is it that so many staff with access to this kind of information feel the need to take it home with them? All the vague theories I have point towards a culture of working (or at least appearing to) late into the evening on ad hoc reports. The completeness of the information that tends to be involved would seem to point this way - the staff don't know what might be interesting so take it all to be on the safe side. They either don't have remote access to the systems at work or don't know how to use things that way; and besides, Excel is just so much more convenient to use with data locally.
Unless it is made phenomenally easy, for these staff to connect, data crunch, and share their results securely and remotely, we are doomed to endless repeats of this story. I suspect we will be anyway, as I'm willing to bet that all those private sector contracts don't even cover ad hoc reporting or, if they do, it's in such a manner that staff are effectively required to work the way they are because of exorbitant charges.
is not there to stop it happening, it's there to let companies wiggle out of taking responsibility. If an employee does something like this they can point to their training, and said employee's signature against it saying they've done it.
Then they can say that they specifically have policies in place against this sort of thing, they don't do it as an organisation, it was just one rogue employee, that needs to be spoken to/fined.
Not shooting the messenger here, Reg. You're right to report it but this kind of story is becoming depressingly familiar. I fear the planned public sector spending cuts will mean that data-handling training is only going to get worse.
I live there - it sucks.
An object lesson in How Not To.
Losing personal data - especially that given under statutory duty (i.e. where the person giving the data has no choice by law) should be a criminal offence. Pure & simple. Like driving offences. We can then have a lawyerfest whilst the meaning of "reckless" and "careless" are debated.
All employees in contact with personal data should have a minimum qualification (ECDL ?).
After all, an employer couldn't get an employee to drive a car if they haven't got a license (certain minicab firms notwithstanding).
If an employers negligence can be shown to have lead to a data breach, the directors can be found vicariously liable.
There. You see what I did ? I treated the handling and possession of personal details seriously.
until thereb is a STIFF penalty for this it will keep happening.
if i can get done for doing 43 in a 40, how can people take thousands of records home, that they shouldnt and lsoe them, yet nothing happens to them.
2-3 years in the kink would fix this up a treat!
I agree, the people responsible should be held to account. OK, if they can show that their employer was negligent in training them then the employer (as in the managers) can be implicated in the crime as well, but I don't think that anyone can expect to get away with "I didn't know that having enencrypted personal data at home was wrong" unles they can prove that they never read, listen to or watch the news. Their only defense might be "I was ordered to take it home to work on it" -- but they'd better have that order in writing, because you can bet their manager will deny it.
as I said initially, there's a difference between data people *choose* to give, and details they *have* to give.
I could live with a civil penalty for the former (e.g. customer database, etc). However for the latter, we need *criminal* sanctions. This is data we had no choice about giving up, and we need the confidence that the state will take care of them.
Maybe we need to approach this from the other end. Make it an offence to be in possession of personal data *without* good reason.
It's amazing that given the very high profile data losses which other government departments have made, it's amazing this carries on.
It's not to do with training, as people have suggested. With so much publicity around earlier incidents, how can the staff in these local authorities not know of the risks?
If the person is intelligent enough to use a USB key, then they're intelligent enough to think about the data that is on that stick and be aware of the sensitivity of that data.
And it's patently fucking obvious what IT devices are most likely to be stolen:
USB sticks, Ipods, TomToms, mobile phones - anything small and electronic.
Until these individuals are individually held accountable, with legislation to hold them to account, yes, I'm talking about not so much the employer, but the individual is legally accountable, and until we start seeing some prosecutions by the DPA of these authorities then this will continue.
Isn't it now about fucking time one of these government organisation was actually prosecuted for the very obvious crime they've committed?
So how are they going to prevent abuse of the data stolen in what sounds very much like a targeted attack? Once the information is out there's no putting it back into the bottle. They're replacing the children wholesale then? Make new ones or something? What?
Or is this another case of getting wrists slapped, still no clue what to do, well, do nothing, or given enough pressure, do something for the show of it but not do anything substantial? No, don't answer that, yes, it was a rhetorical question. Carry on government.
An entire secure and encrypted solution was completely missing.
A lot of these people work from home by default, or are always on site visits, WSCC should have provided a secure fit for purpose solution.
Fining them won't help as WSCC already need to find £75million in savings within 3 years. Perhaps if they didn't spend all their money on tosh and farming out lucrative IT contracts to the private sector. After neglecting and striping their in house IT to the bone whilst the swathes of overpaid middle managers and the hoardes of project managers, who always escape cull after cull, who punish the IT grunts by forcing them to work on tosh projects instead of the important stuff... Typical.
Time for a beer ;-)
"A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands."
Yes. Yours!
Plus ça change...
Never mind this non story. Look at what happens when the personal data gets used e.g. in child protection cases for which purpose it is distributed through unencrypted public email. This is the really serious information about what has happened to people under very distressing, damaging and sometimes life-threatening circumstances. We want to take that child into care because the father is a maniac, just pop all that information in an email to ejones@gmail.com and jsmith@yahoo.com.
When you see what is done with the data you will realise there is no point trying to secure it anyway.
"Look at what happens when the personal data gets used e.g. in child protection cases for which purpose it is distributed through unencrypted public email."
Now that *is* interesting. It was my understanding that pretty much *all* the relevant players in a social services case who would need a *detailed* file would be professional bodies whose staff would be part of some kind of corporate email system (NHS, relevant police service, solicitors) with the relevant backup, security and in principle ability to set up a desktop to desktop secure data transfer.
Yes the parents *might* not have anything but a hotmail account but they presumably already *know* the details. An obvious options is a VPN link into a server PC (real or these days virtual) to view or change (but *not* download) the state of play. Another option is delivery by encrypted file attachment with the password sent some other way or an obscure but generally known one (IE the password is the case file no of the sending organization. Not that many people need to know that and all *should* be interested parties)
"We want to take that child into care "
A local authority that actually does this in the UK?
"because the father is a maniac, "
If you're taking the children into care that's not exactly a vote of confidence in the mother either. And I thought the absolute belief that females plumbing *guarantees* they will make naturally *better* parents was hard coded into the UK legal system. I live and learn.
"When you see what is done with the data you will realise there is no point trying to secure it anyway."
Translation. "The system leaks like a sieve anyway why try to do anything about this bit first"
Ah the apathetic tone, the sense the data does not *really* belong to the people its about. and anyway it's not really our fault.
Social worker by any chance?
When it comes to protecting sensitive information on laptops then we are not talking rocket science or even big budgets (could be less than the price of 1/3rd a tank of petrol per year) - technology is available to make this a thing of the past !!
We are all in situations where the demand of your time at work is greater than the hours you are officially paid for - people do take data home to work on - resulting in an inevitable data loss at some point - eliminate the risk through laptop backup and encryption..
Doesn't the ICO ever take hard hitting action? Nothing in this report suggests anything by way of a deterrent and a learning experience along the lines of "The ICO's punishment hurt, we'll make damn sure that doesn't happen again". A commitment to provide training is just bullshit & bluster.
Real watchdogs have teeth and aren't afraid to use them. The ICO just doesn't have the cojones to hand out punishment.
Make staff *personally* liable for data loss?
So you get bottom up pressure to improve security (or give them access to ways to improve their *own* security as it's their neck that's in the noose)
Make head of department (personally?) liable?
The head of the department in the Baby Peter case did not reckon they should go despite 60 odd contacts over 3 months (that's more than some "problem" families might get in a *decade*) and a very dead toddler on their hands.
It should be a department heads remit to fight for the resources to do their departments job and *nothing* get the attention like the prospect of loosing a big chunk of their *personal* assets if they fail to do so.
Council IT department.
Did they make it *clear* why carrying sensitive data on unsecure laptops is a *bad* idea and that there are simple cost effective options which prevent the data being misused?
Did they suggest other ways to access the data which didn't *need* a copy to be carted around?
If they didn't that suggests they should take some of the blame.
I'd go for the head of department. they're likely to have some understanding of why this mattes.
The council itself.
Tricky. Again what part of the budget to fine? Or make councilors *personally* liable?
As a pragmatist I know institutions take time to change. I think some kind of graduated response is needed. Loosing data is bad. Loosing data *repeatedly* and issuing some "Lessons will be learned blah blah blah" handout BS means the ICO response needs to be escalated.
