The UK's information watchdog has slapped two London councils with hefty penalties for failing to encrypt personal data on laptops that were stolen by thieves. Ealing Council and Hounslow Council were both found to be in serious breach of the Data Protection Act, ruled the Information Commissioner's Office today. It said two …
The problem with this
is that the people whose data was lost, are going to be among those who actually have to pay the fine.
Seems kinda pointless...
"Hello, public? Yeah. You appear to have had your personal data stolen. This is going to put you in danger of ID theft and various potential ills, so watch out, and keep an eye on your credit reports for any loan applications taken out in your name. Please accept our apologies. Now listen, there's a fine payable for this, so if you'll just bare with us for two moments, we'll work out your share and arrange for you to pay us via your next council tax bill".
Personally, I say bring back hanging.
@ Dave B 1
"...so if you'll just bare with us for two moments..."
The word you are looking for is "bear", not bare. I don't think the council would want all the people in their area to bare anything in public.
And the fine will of course be paid for by the tax payer. Thanks guys.
I'd much rather the idiot with the laptop and the idiot who gave them it were sacked.
people who should be sacked
The idiot with the laptop? Not really their fault, they are unlikely to know better the laptop required a password to access they almost certainly thought that was enough.
The idiot who gave them the laptop? Maybe, but probably not they are almost certainly working to a policy.
The answer is to sack the person in charge of data protection, the person responsible for writing the data protection policy or the person that should have employed someone to be responsible for a data protection policy.
I agree there's no point in giving the council a fine, reserve that punishment for businesses, if you fine a business then the CEO doesn't get a new Jag this year. If you fine a council the only people who will lose out are the residents either financially or as a result of a loss of service.
Speaking from experience
Actually, it's frequently the case that the Data Protection Officer or similar doesn't have the authority to mandate particular security measures and even more frequently it's those in charge of the IT budget who are obstructive. "We don't have the budget" is the most common refrain, especially if it would take a ludicrously expensive change request to the outsourced service provider to get anything done.
A few years back I was working in a reasonably high profile public sector watchdog organisation with access to some extremely sensitive data. My manager and I could emphasise the need for encryption of all laptops till we were blue but were told no. It was the Head of IT who actually said "It's too expensive, too time-consuming and too irritating, so we're not going to do it". Fortunately (in a way) the HMRC data debacle happened the next week, so that position had to be reappraised.
High profile losses and fines do actually serve to force other organisations to get their houses in order and the fact that the ICO is levying fines might help - though the lack of custodial sentences means that the deterrent effect is still limited.
It's all very well to harp on about firing the DP person, but I suggest it would be more appropriate to investigate each incident first, find out who acted against policy and who failed to put decent security in place, who didn't act on proper recommendations before calling for your pound of flesh.
No they haven't
"Both council have paid the price for lax data protection practices," said ICO deputy commissioner David Smith.
No, it's the residents of Ealing and Hounslow that will pay the price when the next set of Council Tax bills hit their carpets next month.
Which goes to show
..that the incidents, after thorough investigations, should result with fines against individuals that are responsible along with enforced changes to organisational policy with spot-checks thereafter.
Fining only works at organisational level for private enterprise but takes the piss with the public-funded sector.
Do they have their I.T. in house?
Or are they like some other councils who outsourced it all when that was the rage and are now reliant on advice from a commercial organization?
If it's the latter I do hope we'll be seeing the councils suing said commercial organization for failing to properly advise them on both security and the potential penalties for failing to secure.
What do you mean "Did I see that pig?"...
So now I have to technically pay for this cock-up through my taxes?!
Why can't you just sack the muppet who lost the data or sack the muppet in charge of the plank, who lost the data?
Fine a cash-strap council makes no sense. Oh, of course this is local government, nothing makes much sense!
wait, let me get this right...
councils get fined for their breaches of the DPA, which means the tax payer has to pick up the bill. BT and ACS law get away with a slap on the wrists?
How does that work? Friends in high places?
I cna only echo the sentiments above.
Someone should be sacked and/or jailed over this. The fine is adding insult to injury and amounts to the ICO stealing from taxpayers in those districts.
This would have worked out better for those hit had the ICO not been involved. Perhaps someone from the ICO could explain why they are stealing tax payers money and where it is going?
If leaving it on a laptop is bad, whats connecting it up to the web like the badly setup benefits systems of so many councils?
Lots of people complaining that the fine is paid by the taxpayers
And I agree that the person who put together the data protection policy should go, but it seems to me the point of the fine is to send a message to other councils etc that this is an area that they need to improve on or they will end up paying (and getting a lot of bad press)
If this fine means other councils get their act together then it is an acceptable burden on the taxpayer. Of course, sacking the policy person would also be acceptable.
RE: Lots of people complaining that the fine is paid by the taxpayers
So why would another council be worried? If another council fucks up they get their budget cut and spend less on steetlighting, or doing up the local community centre or whatever. Then the residents get pissed off and... what exactly? Move? Since you are forced to pay council tax to the council where you live (which does make sense, I'll admit) there is nothing you can do.
Even if you vote out one mayor, for example, the next will inherit the same pricks that lost the data for the last one.
pour encourage etc etc
The only problem is that, sadly it will make absolutely no difference to other councils for the very reason that it had no direct impact on the council itself.
Councils (and other publicly funded bodies) are just like children in that respect, if you fine the parents when a child is bad it does not educate the child as they see no connection between their actions and their parents' punishment.
If you want to educate the child(council) you must directly affect them by withdrawing something they value until their behaviour improves. Perhaps for a council you remove council-provided facilities such as travel allowances or parking rights for the offending person and the two/three steps up their line management to inconvenience them and let them feel the frustration that carelessness can cause or worse still you could have them get independently clocked in/out on a daily basis and work in an open office so that everyone can see their shame, and they only get paid for the hours they attend.
I know this may sound a bit draconian and unfair but...
It has been known for a very long time (well in excess of 5 years) that it is a bad idea to have confidential information available on insecure laptops.
5 years is more than enough time for policies, procedures, training and compliance processes to be put in place within public bodies to secure data on mobile systems. If it can't be 'adequately' secured then the system should not be used - simple! Failure is not an option.
Failure to have these systems in place should be made a serious criminal offence. in the event of loss of information and investigation shows individuals to have been responsible then significant personal fines and Gaol time should be available penalties. Bollocks to the 'Oh, it was just an accident' defence.
If I lose significant client data, I am suspended and my contract terminated for gross misconduct. No 'Ifs, ands, buts or maybes'. I make sure I don't have the opportunity to lose the information!
Bleeding hearts who make pleas on behalf of ignorant fools who lose personal data upset me mightily. If you need a tool to do a job then you should know how to use it - just like a chains saw.
How about "extended minority"?
In Belgian law, there is a legal status of "extended minority", meaning that someone is still officially a child despite being born a sufficient number of years ago that they would otherwise count as an adult (usually used in cases of severe mental handicap).
If only we could have something like that here, for people who aren't ready to be unsupervised when doing things that might affect the public.
@James Hughes 1
"If this fine means other councils get their act together then it is an acceptable burden on the taxpayer."
That's one hell of a *big* if.
why was the data there?
even though I have no idea what the data was for , or the way their system operates, I cant see any reason for that amount of data to be on one persons laptop .
and yeah someone should be sacked , hard to say who , but if they have no policy of encryption then someone very high up.
@Why was data there
There are dozens of good reasons why that could be... A Social worker who is on out of hours duty call for a large area could easily have to have basic detail on that many clients, if its only at the level that so and so is a client. And if you are out on the road then its going to be very difficult to find a Government Connect approved link, so you won't be able to get into the on line system, even if it is 24*7 supported (unlikely - budgets) and guaranteed to be available when you need to find out if Mr X has a history of beating up his current girlfriends little children or Ms Y has tendency to feed the kids smack if they wake up and cry in the night...
"here are dozens of good reasons why that could be... A Social worker who is on out of hours duty call for a large area could easily have to have basic detail on that many clients, if its only at the level that so and so is a client. And if you are out on the road then its going to be very difficult to find a Government Connect approved link, so you won't be able to get into the on line system, even if it is 24*7 supported (unlikely - budgets) and guaranteed to be available when you need to find out if Mr X has a history of beating up his current girlfriends little children or Ms Y has tendency to feed the kids smack if they wake up and cry in the night.."
All very worthy
So why not fit *all* office laptops with something like truecrypt and either assign and change the passwords on a regular basis (not letting staff change their own) or explain in detail what happens if they forget it.
Who benefits from the fine? Who gets the money?
Am I The First To Remember........
... mal/mis/non-feasance in public office?
We did this three weeks ago.
It all comes down to balls
The councils ballsed up but we end up paying the fine. Why doesn't the ICO name and shame those responsible for the balls up and hit them with a fine?
Because it doesn't have any balls. Sure it can fine a council or two and the odd hospital but when it comes to businesses, the ICO's balls suddenly go missing.
As I've said before, the ICO is unfit for purpose. Lacking guts and balls, it is an irrelevance that should be terminated and a new, appropriately staffed and powered body put in its place.
As AC above says: "5 years is more than enough time for policies, procedures, training and compliance processes to be put in place within public bodies to secure data on mobile systems."
It isn't rocket science.
I can't reconcile this decision to fine the council with the ico. decision to let BT off completely. Ealing council had a policy which employees did not carry out. According to the BT/ACS:Law case, then the ico. should have declared that a matter for internal discipline of the employees. Or is it one law for a local council, and no law at all for a large national Telco?
Another IT catastrophe for Ealing
Ealing being the council which two years back lost all their IT systems to an infected memory stick, including Cisco telephone system for the best part of three weeks because, as I understand it, they hadn't updated their anti-virus protection for five years let alone partitioned the network or taken any of the other basic yet essential precautions.
But in the world of public sector mediocrity, unlike that of greedy bankers, it was just one of those things that happens to every large organisation sooner or later according to Ealing councillor Phil Taylor (http://philtaylor.org.uk/?p=2282). The IT manager who presided over this didn't walk and is presumably still in line for a golden handshake and 2/3 final salary pension at the council tax payers expense.
We pay, whatever you do
As most of the posters above say, a fine punishes the innocent taxpayers, not the council. Several have demanded that offending council employees should be dismissed or otherwise disciplined.
One poster (Qtoktok) suggests "it would be more appropriate to investigate each incident first, find out who acted against policy and who failed to put decent security in place, who didn't act on proper recommendations".
Imagine the process necessary to sack a council employee. Think of the numerous well-populated meetings that Qtoktok's investigation would entail. (Can't you just tell he's worked in the public sector?) The eventual cost of all these suggestions would make the ICO's fines look trivial. And who ends up paying? We do.
The only answer is to curtail the scope of government. When councils just did bins and drains they were cheap and relatively trouble-free. But that's a larger issue.
@curtail the scope of government...
Yep, that would work... Provided of course you can make " s*** happens " an approved and acceptable response when ever journalists come round and they and their interviewees complain about little disabled Sara not getting a special school place, or Ms X losing another baby to the latest violent boyfriend or Mr Smith trashing his nice alloy wheels in a pothole or all the other stuff...
Unfortunately these days its always "something must be done". And doing something costs money...
Fines not fine?
Fines -- if high enough -- might help alert councils to their responsibilities. The ideal solution -- but this will be when pigs take wing -- would be for these fines to become surcharges on councillors -- that's where the buck should stop.
I've been in posts with responsability but no authority.
Let the IT ignorant f*****t who has sign off authority make the decisions and live with them.
I'll tell them they have a problem and what will happen if they don't handle it.
"It's just one of those things"
No you w***er it's your failure to plan.
I guess having a "responsible" job is easy if you have no actual sense *of* responsibility.
I'll dowse the flames and return shortly.
I was on the Ealing laptop data.
Having had my details passed on with the security of a hand written note i now have to pay for the privilege. Ealing, i hate you.
The law should be changed
To allow for the fines to be deducted from the pension pots of the heads of department and the Chief Executive(s) of the council and if any consultants or other organisations where involved in the policy/process for them to be fined as well.
That way even the kevlar proofed life time civil servants have some accountability and feel the pain of there errors.
Encypt client data...
No, encrypt /all/ the data on the laptop, not just the client data. If there's one thing that's going to stop people using encryption systems on their computers it's having a "please enter password" box pop up for EVERY SINGLE SODDING BL***Y FILE they try to open. Encrypt the entire olbdyo device, return-to-maintence lockup after 3 failed logon attempts.
Encryption will not work
The idiots will keep the encryption password on the computer or on a piece of paper kept with the laptop.
Encryption will not work
The idiots will keep the password on the computer desktop or on a piece of paper kept with the laptop.
Why doesn't the ICO fine the Council CEO out of his/her salary? It's mostly big enough to take a bit of incompetence now and then.
But if it starts to happen too often, it might cause a flicker of interest as to what's going on in the ship, and provoke some cracking of heads of those planks that are reducing his/her income.
Focusing the mind of the responsible person while on the golf course could be a way forward to the dramatic improvement of departments.
Councillors responsible for failing areas could get censored too, although kicking them out of public office for a while would be more appropriate seeing that they are non-salaried.
We need an cute acceptable buzzword for a scheme that is the opposite of bonus to be implemented where negative results are achieved - and not just for Council CEO's either!
Feedback please to the ICO!!!
The Register - can you kindly feed all these comments back to the ICO? I guess there is a slim chance they might realise the stupidity in fining any Public sector organisation (NHS, Schools), as the fine is ultimately paid by the Taxpayers.
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Game Theory The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Worstall on Wednesday Wall Street woes: Oh noes, tech titans aren't using bankers
- Kate Bush: Don't make me HAVE CONTACT with your iPHONE