Feeds

back to article Council fined for randomly emailing personal data

Surrey County Council has been fined £120,000 by the Information Commissioner's Office for breaking the Data Protection Act. The council was rapped for three separate offences. Firstly, in May last year it sent mental and physical health information on 241 individuals to the wrong group email address. Recipients included cab and …

COMMENTS

This topic is closed for new posts.
FAIL

The point of this is?

Whats the point of this farce? One section of govt fines another section of govt and the taxpayer picks up the bill.

Until they start fining (and sacking) the INDIVIDUALS responsible this sort of crap will go on and on and on.

Typical (and all too common) public sector incompetence and the tossers will still have a job this time next year.

Try landing your employer with a £120k fine in the private sector and see how long it is before you're escorted off site.

9
0
FAIL

What's the point...

...of fining the council...the fine will only get paid with our money. Fine the fucking idiot that sent the stuff out...and then sack them.

8
0

Which will be passed on to ratepayers

It's nice to know that those responsible receive extra staff training while the ratepayers get stuck with paying the fine.

2
0
Gav
Alert

World's worse data protection

"The file was not encrypted or password protected."

Cos it would have been ok if it was "password protected", wouldn't it?

Why are we saying this as if it makes any difference to the leaked information? There really needs to be more effort from everyone to hammer the point home that as a method of security, "password protection" is as useless as locking your front door when you have no walls.

2
1

Pointless fines

Firstly, why is it suitable to populate and disseminate an excel spreadsheet with sensitive data? Surely there is a better/more secure way to do that? Or if you have to, why send the spreadsheet, why not a link to some secure internal shared space? Even if the link gets out - dead URL contained in it.

Secondly what's the point of a Government body fining another Government body? Surely the Council's bigwigs will just shrug this off, it's not their money. Why not fine the directors (or equivalent in public sector bodies) personally, each at this level. The threat of a £120,000 personal fine would mean I'd certainly tighten up all the procedures as a matter of priority.

In the meantime, the good citizens of Surrey suffer either via a Council Tax rise to cover this, or a reduction in services to make up any shortfall. The Council itself, bar some bad publicity, is in the clear.

4
0
Bronze badge
FAIL

Bleh

I dont see how shuffling funds from one goverment department to another is going to help in any way or form.

Im guessing surreys council taxes will cover this :/

People who are responsible need to be held to account not the pockets of the investors a.k.a the tax payer

1
0
Ru
FAIL

"The council tried to recall the email"

And here we see the problem with people using outlook/exchange internally, and not understanding the rest of the world might not work quite the same way.

3
0
Bronze badge
FAIL

I wondered

what in the hell 'recalling mail' would be, is this the internet equivalent of getting your hand stuck in a pillar box?

It'd HAVE to be microsoft wouldn't it

3
0
Meh

its worse than that...

they're a Lotus Notes organisation.

0
0
Silver badge
Flame

Err...

...I think you mean "Taxpayers punished for civil servants' ineptitude", after all it's us who pay these fines to...err...ourselves in cases like this. Those who failed (if anyone) need to face the music, not our collective wallet.

Oh, wait, this is the civil service. I forgot.

Carry on!

0
0

Paid the price?

"Information Commissioner Christopher Graham said the council had paid the price for failing to handle sensitive data appropriately or to have security measures in place."

He means the people who live in that borough paid the price through more cuts to their local services or increases in council tax to pay the fine right?

1
0
WTF?

pointless...

Until individuals are fined or punished this achieves nothing. It's simply the transfer of public money from one place to another.

1
0
Mushroom

Pointless

To fine the council tax payer.

Fine the pension fund of the chief executive then the council will take more notice and work to prevent this kind of stupidity.

Fire the people who sent the emails out as well.

Charging the public purse for the failures of individuals will achieve absolutely nothing.

2
0
FAIL

That's what I like about

this country. The council doesn't have the resources to train it's staff to make sure these idiocies don't occur, and the best way to deal with that is for the courts to take away more resources by fining them.

Wouldn't it have been better if the court had ordered the council to spend that money on training, or for implementing safe guards ? Like a proof reader type person who could manually validate the post before it went out.

ALF

0
1
Flame

Well no....

"Surrey County Council has been fined £120,000" - No I think you'll find that ultimately tax payers have been fined £120k.

Don't bother giving fines to these public bodies – none of them view it as real money anyway; it's about time those responsible are strung up from the nearest lamppost and made to pay for their utter incompetence!

3
0
Silver badge
Thumb Down

Fining councils

doesn't work. It only hurts the ratepayers because the council will just factor the fine into its budget and raise rates accordingly. What needs to happen is that the oiks responsible for sending the emails should be PERSONALLY fined. Then it doesn't affect the ratepayers, and the idiots responsible get an expensive lesson on why to treat other people's information with respect.

1
0

Stop fining councils

They're already strapped for cash and this benefits nobody. Sack those responsible instead.

3
0
Silver badge

Typical Surrey incompetence

This is just the tip of the iceberg, only that the majority of the problem doesn't involve personal data.

The entire council has a policy of non-transparency and avoidance of responsibility. It's a wonder they didn't attempt to cover this up and threaten the people complaining to the ICO with dismissal.

2
0
Meh

Type your comment here

Hurrah, so in short a government department has moved money from one department to another and I take it the effected parties get nothing?

0
0
Unhappy

Great!

"Soon after that incident in June, the council sent a second email containing personal data on several individuals to 100 people who had registered for a council newsletter."

Oh well I suppose they at least got their money's worth from their council tax that month!

Honestly what the flipping heck is wrong with these dingbats? How about putting a block on the email servers that quarantines anything with attachments coming in or going out? Alright it's not perfect, but better than just sending stuff and only realising it some days later when it's way too late to be able to do anything. If someone has to release emails there is at least a "paper-trail" of responsibility.

1
0
Thumb Down

Who really pays the price of incompetence?

"Information Commissioner Christopher Graham said the council had paid the price for failing to handle sensitive data appropriately or to have security measures in place."

Oh really? You mean the council tax payers are going to pay the price in reduced services in order to meet this fine. Did anyone's head roll?

1
0
FAIL

Or more accurately...

The taxpayers of Surrey have been fined.

1
0
Gold badge

paid the price?

"...said the council had paid the price for failing to handle sensitive data appropriately..."

Really someone in the council should be responsible for ensuring they do the right things (even if they don't have the title 'data controller'). What happened to them? Have they had their hands cut-off? Slap on the wrist even?

Fining the council does nothing except further punishing the people of Surrey, since there will be less money to pay for ther services.

I'm glad to see the ICO starting to grow some teeth, but I think that they need to be bared more often, and used against PEOPLE who are the cause of the issues.

1
0
Coat

If I were a rate-payer I'd be mad...

...oh, maybe I am, better check that email again.

0
0
Silver badge

Not quite Correct

" ... the council had paid the price for failing to handle sensitive data appropriately ..."

Actually, Surrey ratepayers (poll tax..) will pay the price, in reduced spending on services or an increase in their payments next year.

I'd like to see fines of this nature levied on executive salaries/bonuses and managerial bonuses, over a three (or so) year period. Yes, dream on, I know.

0
0

pork barrel

say no more.

0
0
FAIL

The council tried to recall the email?

but was unable to verify what happened to the information.

Are there people out there who really believe that works?

Another MS-foisted Outlook problem.

If public orgs realy had a clue, info like that would be on a secure server linked to users with one-time URLs , not needing to be emailed at all - just like a decent content delivery network

3
0
Facepalm

Jobs on the line

*sigh* Until people are actually made to pay for their mistakes, through disciplinary action or losing their job, this will keep happening. It's always "lessons learned" and "new procedures", but it needs each and every person handling confidential data to (1) KNOW how to secure it, and (2) THINK about possible risks.

1
0
WTF?

Bolt Horse Door

"Surrey Council has since added an alert function when sensitive information is sent to an external email address."

Hopefully this stops sensitive information going out rather than notifying after the fact. But how would such a function work? Does sending of an Excel spreadsheet trigger it as it's well known that it's used The Database.

0
0

Ouch

You'd think that after the first incident, they'd have got in the habit of at least using password protection.

The newer versions of Excel (for example) encrypts a password protected file and currently the only (public) way to get to the info is by brute forcing the password. I'm talking about password locking the file, not a sheet (which is still insecure).

0
0
Thumb Down

And the net result is?

I wonder how much effect fining a public body has? In this case it will mean that some other council service is cut or curtailed or that the future council tax will be increased, hard to see how this acts as any sort of deterrent or punishment.

0
0
FAIL

Correction

"Surrey County Council has been fined £120,000 by the Information Commissioner's Office for breaking the Data Protection Act."

Should read:

"Surrey Council has been fined £120,000 by the Information Commissioner's Office for breaking the Data Protection Act but no one at Surrey Council will be punished and the people of Surrey will actually pay the fine through their Council Tax."

Poeple of Surrey, sack someone senior in the Council in a very public manner so that other Councils will learn and ensure the Executive of Surrey Council do not get a bonus this year.

0
0
Stop

Seriously?

Surrey Council has since added an alert function when sensitive information is sent to an external email address. It has also improved staff training.

Nothing to indicate they are encrypting personal data?

0
0
FAIL

"The council tried to recall the email"

If you can recall it, it's not email.

Want an analogy? If you're quick enough you might snatch something back out of company pigeonholes or even the "in" tray on someone's desk. But getting anything out of a post box requires at least waiting for the collector, but were I him I'd not let you without some sort of proof you put the letter in there in the first place. As for letter boxes, that'd be breaking at least if not quite entering.

Likewise email. If you've handed the mail off to someone else's email handling machine, it's no longer in your power to recall. If you don't understand that, you really don't have business using the service. So it's not a valid argument.

2
0
Facepalm

'an alert function when sensitive information is sent to an external email address'

Hopefully, it will alert *before* the information is sent ? Or will it just play a snippet of Britney's "Oops I did it again" after the event, to confirm the user is indeed a lunghead?

0
0

council response prediction

Don't worry, I'm sure the council bosses will take full responsibility and more importantly, lessons have been learnt. Now, back to that golf swing...

0
0
Thumb Down

We need personal liability for this to work.

Staff in bookies, pubs, off-licences and tobacconists are all personally liable for dropping a bollock. They're also worse paid.

1
0
Facepalm

no surprise

not overly surprised at this, when trying to educate council 'users' on IT security or information handling the response was 'okay we'll do it, unless it means we have to change the way we work'.

They knew best.....

2
0
Paris Hilton

How much

are they paid?/do they understand? The majority of staff on yer local council do not even understand computers let alone the security issues such as encryption. How many are 45+ yrs. old? You have local council managers applying cost cutting across the board - more "work - i.e. duties" for the same pay with little or no training. These workers do not understand exactly what the keystrokes mean ffs! They just do the job. Any confidential info.should be held on an encrypted file anyway. Local govt. is broken as far as these issues are concerned - if the high street banks can't be arsed to do anything about it, what price your local council? FFS!

Paris - 'cos she can be arsed, allegedly...........

1
0
Pint

That alert function in full.....

System/ Caution : You are about to send sensitive information to www.mygreenknickers.com

user/ yeh, so what?

System/ It's a Friday afternoon and you're likely to be pissed after starting the weekend early

downt'pub, lad...

user/ yeh, fuggit like......

0
0
Coat

Performance related pay?

This is what the Chief Executive's Performance Pay element is for. He has failed, and should forfeit £120K from his pay. And do the same to his line managers.

0
0
Thumb Down

Once again, inappropriate action by ICO

Sackings and/or jail terms are appropriate. Passing on the cost of the council's fuck up to the tax payers is not.

0
0
Thumb Down

American here

I am not from the UK, but agree about the fines being useless, but they could just use Google Docs, and control who has access to each document or spreadsheet.

0
0
Silver badge

Personal responsbility

Staff doing this should face disciplinary procedures, to understand the seriousness of the transgression - AS SHOULD THEIR MANAGERS.

I'm glad the ICO is starting to bare its teeth but they need to go after some of the more egrarious offenders such as advertising compasnies which are still scraping data,

0
0
This topic is closed for new posts.