Data privacy watchdogs have fined Powys County Council £130,000, the highest fine the ICO has ever levied, for failing to protect the personal data of vulnerable young people. The Information Commissioner’s Office got out the big stick to punish the Welsh council after it sent details of a child protection case to the wrong …
Here's your fine for sending sensitive data to the wrong place twice... And here's your ISO 9001 certificate for consistency of process.
No doubt the councillors will pay this fine out of their own salaries...
How much did El Reg get fined for failing to protect the data of thousands of vulnerable young commentards?
To answer you seriously. We reported ourselves to the ICO, which then sets an investigation in train.
We will report on the ICO's findings as and when we receive them - and get the greenlight to publish.
Well, my comment was pretty tongue-in-cheek. Good luck with it, in that case.
WTF! Whats the point in fineing councils. Its Taxpayers money FFS! Its not the councils, they dont give a damn. People should go to jail for this sort of thing. That will "tighten training" fairly fucking quickly.
Yes and No
I agree that fining the council will only end up punishing the local taxpaper as services are cut to pay it.
I think jail is too harsh a response. But *surely*, for fucks sake, *at least* one person should be spending more time at the job centre than they were.
I don't understand either
All it will do is hurt services in that area, and simply take money tax payers in that area to central government, for no reward.
People need firing, not fining.
Your criticisms have been taken on board
....and will be heaved over the side the next opportunity we get.
On the contrary...
...it can make perfect sense.
As Alexander Hanff tweeted last night it's possible that the ICO is turning into little more than a method of gathering yet another stealth tax for the treasury.
1.)ICO fines public body.
2.)Public body pays fine to government.
3.)Government effectively gives less money to the public body without ever visibly cutting their budget...
So the procedures that were going to be put in place, and the lessons learned after the first time weren't actually put in place or learned? Colour me shocked. I'm sure they'll get it right this time, though... a few more £130,000 fines and the council executives might have to start raising the council tax rate or close a few more libraries to avoid being hit by a slightly lower than accustomed annual uplift in their remuneration and bonus, which will surely sharpen their minds.
ICO's 'clout' score needs improving...
I sincerely hope that by the time private companies get a hold of 'anonymous' NHS data that the ICO's regulatory clout is sufficiently pumped up to add a few 000's to the fines they can hand out.
Although 130K might hurt a county council a bit, that wouldn't really raise an eyebrow at a large corporate.
Sorry, the 130K fine hurts the council not at all, it just comes out of the council tax fund and is written off against some other cut in services.
ICO fines to public bodies merely punish the innocent and let the guilty get off scot free I wonder whether the perpetrators and their managers even get a ticking off!
So, after last time "lessons have been learnt and procedures put into place" will be exactly the same quote this time round, and next time - a blatant lie, and the disseminator of that lie should also be sacked since s/.he knows it's a lie.
When was very young, I used to think councils (and Parliament) were answerable to the public. What a joke!
“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems,” she added.
Indeed - the underlying problem is that when these things happen then taxpayers, who were not at fault, have to pay a fine. Yet we hear nothing of the individuals who were at fault, or their immediate superiors, losing their jobs, being demoted or perhaps they themselves being fined.
No dis-incentives for failure along with "shared responsibility" means no one cares - I've seen it way too much while working in the public sector.
too right, no one cares.
an interesting parallel to corporate identity that these institutionalised morons seem to project is that of being able to try to save face as an organisation - beloved officers and other made up management never seem to be accountable in an organisation which is publicly accountable.
>There is no excuse; basic errors such as printing highly sensitive and private child
> protection reports to a shared printer should not be happening in a modern and
> accountable government organisation
So a printer for each worker?
No printing of any sensitive information?
what is the answer (aside from the really obvious one, that people check to see what they are sending out) then?
Without knowing the role of the person being sent the information (private individual, social services bod, reporter?) it's difficult to say what is going on - the fact that the receiver knew both parties and reported the incident would say to me that they are not a private individual.
PIN Protected Print Jobs
AFAIK some departmental printers let you put a PIN code on print job. The job gets queued at the printer until the right person comes along, selects the job and enters the correct PIN. Then it prints. Used it myself for printing off CVs, references, etc.
No its a bit simpler than that, implement print on pin so it only actually comes out when you're at the printer! Its a feature available on all good workgroup printers.
There have been printers that allow secure printing for quite some time. The printer holds the job until the user is present and inputs a PIN. The user can then ensure that they take all relevant pages and nothing else, thus also preventing anyone else from seeing the contents.
Pin Print, Secure print, call it what you will but its built into the driver of most corporate printers. Should be a fairly simple job of at least changing the print defaults on the server.
Have a shared print queue but require the user to log into the printer/swipe card in order to release the print jobs from that user. That way the sensitive info is only printed out when the responsible person is there to pick it up, not lying around waiting for a data breach to happen.
It's used all over the place, especially where printing costs money so you can have a "balance" on your swipe card.
Shared printers are fine if you are using the right technology. Like only being able to release YOUR prints from the queue if you enter a passcode/swipe your ID badge. Not exactly new technology as its been around for years and has the handy side effect of ticking a CSR box as it reduces the amount of printing from people forgetting to actually get the printer to print.
Well, yes a printer each is certainly not cost effective.
However, our shared printers have a secure print facility whereby sensetive documents can be locked with your user/pass and will only print out AFTER you log in to the printer. This way you have to physically be there and can stop this sort of mix up.
Of course, even with regular printing these things offset each print job such that only a RETARD could accidentally pick up parts of two print jobs and not notice.
Makes you wonder how many such measures actually are in place but the staff are too stupid to actually use them.
Printer requires password/ID swipe to print
I've seen two solutions to this actually used. In C&W you had to swipe your ID card on the printer to print your jobs there and then. We had a big office, but this seemed to work ok.
Or more cheaply: I've seen printers requiring you to enter a password at the printer to print something out. Job is held until password is entered.
Not rocket science.
Private shared printers is quite simple actually
1. set authentication on all network printing. That is, once you hit OK on the print dialog, another dialog comes up in which you must enter your network (or printer specific) credentials. This is more often used to prevent color printing or to audit printing for chargebacks but can be an effective privatisation tool as well.
2. Even better, set up printers so that the job queues but won't actually print until the user shows up and types in their unique code. The next job won't print until that user comes and types in their code. If it's a private print job, stand there until it is complete and collect your work.
Easy as that and common in many organizations.
Mabye it would suffice that paper copies were not left lying around on printers for anything longer than it takes to hit the print button and walk to the printer. Ideally before swiping your card to release your print job.
They HAVE to print out these documents, as often the people involved actually get a copy of them, also may have to go to a dozen other people.
Individual printer may be an idea, but then who's going to pay for them and then pay for maintenace and support.
How big were the documents. Picking an extra 2 pages up whe it's 5 pages is a silly mistake, but if a 300 page monster, easily done, especially if 20 others are printing out all the time.
let's face it, most of us of done it. I've sent print outs to printers 300 miles away and hope that someone listens ans shreds them for me...
And no I don't work for local goverment, but I'm a realist.
A solution implemented where I work is that all staff need their ID card to print.
You send a print job then go to any printer and log into the printer via nfc "wave". You can then print out the jobs.
This solves the issue of people sending print jobs, then forgetting them and reprinting them multiple times. You can literally only print if you are physically at the printer.
It also cut down paper usage by nearly a half!
“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems,”
The underlying problem is that most staff, and more importantly managers, in the sector still think saying "I'm not very good at computers" and then chuckling is acceptable.
In my previous contract (which was in that sector), I was regularly asked by senior managers to remove the "annoying encryption" on their usb drives. They were unable to operate a basic encrypted drive and so thought it perfectly acceptable therefore to remove that encryption so they could easier access that data on their home pcs, which were more then likely jam packed with crapware and spyware anyway.
The head of the department also inststed that someone forward all her GSX emails to her non GSX email account as she "couldn't access it properly". This according to her was I.T's fault and she saw no problem in both giving an admin temp access to her gsx account and thaving the emails forwarded (copy and pasted and then sent) to a non gsx accoutn.
When this is the attiude of those who run the departments is it any wonder that such cock ups occur?
Sadly it is exactly these people who are meeting to discuss how to fix the issues.....
Forgive me if I don't expect them to be fixed in a hurry.
One answer would be to use PIN secured printing and/or a stored job for sensitive information, thus ensuring that the individual printing the material is actually present when the printing happens which minimises the opportunity for mixing print jobs up.
The real culprit
Until someone actually loses their job, gets prosecuted and jailed with the head honcho getting the same, this will continue as the real culprit doesn't appear to pay just the taxpayer.
Sacking people for making simple mistakes is a possibility of course
But you might run into problems with employment laws, and it leaves you with the problem of finding anyone better, and competent Social workers are pretty hard to get anyway.
I'd be interested to know though, what aspects of their own jobs the people recommending it reckon should be summary dismissal errors.
Why should employment laws be an issue?
I've signed NDAs on a regular basis and it's made crystal clear that if I violate that agreement, I'd be sacked—and effectively blacklisted too.
If your contract stipulates that it is YOUR responsibility to ensure any confidential information YOU work with remains that way, you bloody well *should* be sacked for incompetence. "I'm not good with computers!" is NOT an excuse in this 21st Century. The bloody things have been in offices since the early 1980s. That's thirty f*cking years! The PC is not "new technology" any more, and hasn't been for well over a generation now.
Ignorance is not an excuse: you're hired—and paid—to do the job. Part of the job description involves handling sensitive data. If you fuck up, you get fired. As does the clearly incompetent idiot in charge of you. End of story.
No, this isn't what *actually* happens, but it's what *should* happen. Unions be damned: incompetence and wilful ignorant should NEVER be rewarded, protected, or revered. THIS is what's wrong with the UK today.
It's high time British corporate and legal systems went back to rewarding success, not failure.
Will they listen this time? With all the cutbacks and no incentive to improve things, like balls will they!
Why bother penalizing them? It's the district's citizens who will bear the brunt of this in further cutbacks. Can't see the fat. greedy councillors giving up their £100k+ salaries to cover the shortfall.
giving up their £100k+ salaries
"Councillors are not paid a salary or wages, but they are entitled to allowances and expenses to cover some of the costs of carrying out their public duties."
You'll notice that they don't even get ALL their expenses covered, just SOME.
I think the OP meant paid executives of the council, like the CEO and the "cabinet". It is rather worrying that most people do not know that councillors have basically no power anymore - it is all in the hands of unelected "officials" employed at appallingly high salaries, who should indeed be sacked in situations such as the story reports.
A little correction. The POWYS TAXPAYER has been fined £130,000 because of a serious breach of the law by an employee of the Powys Taxpayer.
The Taxpayer should not be peanalised, but the employee should be sacked, and fined personally.
There is no good in fining a public body.
Save Money - Do More Faster - Forget The Rules
Cut services, increase burden, push push push for more more more and...
Bang, something breaks.
Solution (of sorts)...fire the heads of all state institutions that pass the buck downwards. Then imprison the politicians that pushed the buttons and feel it's appropriate to watch the lower ranks loose pay, jobs, etc. while the heads of heads of heads get more and more for savings made Ad infinitum.
Throw in staff that have (believe me, at normal pay levels anyway) been paid less than the private sector would pay them (so say those that award the pay increases), but that it's worth it because they are doing a great service for the people (who appreciate it., not) and there is a good pension as a thank you, at the end...oh, maybe not. Bugger
Where do the fines go?
Just wondering (genuinely interested)) which branch of government stands to benefit from the local taxpayers' loss in this instance...
The 'general fund' I believe. Basically in the pot. Probably spent polishing someones duck pond or bribing a secratary to keep quiet about sausage time.
Not sure where the fines go, guessing into some central pot somewhere to fund more quangos.
IMO the money should be funnelled straight back into funding measures to ensure this sort of situation does not happen again int he organisation. The managers of the authority should not get to decide how it is spent, that should be dictated by an independent audit and the ICO.
A way to make people think..
H&S is only now takes seriously (perhaps too much so) since people became criminally responsible for their actions or inactions.
Perhaps it's time to bring criminal law to bear on those who otherwise will never be bothered with these other laws...
BUY YOUR OWN F*ING PRINTER AND STOP USING THE SHARED ONE!
Hell of a lot cheaper than a massive fine.
Though I don't doubt that HP will probably charge them 130k for ink cartridges anyway...
No doubt some manager will get a payrise for fixing the situation. I agree entirely that fining local taxpayers is wrong. Perhaps taking the fine from managements bonus and golf junket fund would be more appropriate?
They really need to make people responsible directly for their actions (in respect to staff) and for the management for allowing for these situations to occur.
If you aren't responsible when things go wrong you cannot claim credit when they go right (and give yourself a huge bonus).
As mentioned above pin protected print jobs are a great idea. Not ideal if you are in a hurry but better to get a little right then a lot wrong!
That's a whole percent of Powys's childrens' services budget for 2011-12. That'll show 'em!
Easier solution than PINs...
The place where I work (on the other side of Offa's Dyke!) is steadily rolling out new printers with ID card readers: you submit your print job to the queue, then swipe your (RF)ID card, choose which jobs to print out (the software and ID card are both tied to your network account), then log off. If you don't log off within 2 minutes it automatically does so. Incidentally the ID card is the same one that lets you into the building, so if you forget or lose it, not only can you not print anything off, you also have problems getting into the building in the first place...
In the old days
In the old days all print would be printed in the computer room and then burst and deculated and dispatched to you off a trolly that the print assitant operator haned you. You got what you printed, nothing more. Nice how things have moved on. Technology just allows people to speed up there mistakes thesedays. RFID isn't a security measure, given as it's teh same one used to get into the building. Also ignores the fact printed have large fat bufffers thesedays and network cables that are not securely attached - ever gone to the printer after your boss - pulled out the network cable and hit the reprint button. Printers should only be used for external users realy and more controlled - call it QA for secrataries! There again WHY hasn't HP done a printer with a tablet connection were you print to the tablet/kindle and from there have the option for hardcopy. Save alot of tree's and ink and less ozone in the office around that high-volume laser printer. But seems a bit obvious and would reduce there ink bank sales.
ALso did you know in 2 minutes I could email your entire company saying how you all suck - if you have RFID then use it as a proximity feature as well as authentication. Not that RFID's are biometric in any way so you still have deniability.
Good article about why you can't save costs and share printers
A fantastic reason why that short-term saving on a shared printer are perhaps not that good from a security and PR perspective. Though does place a somewhat interesting perspective into the term "social services". Ironicly a parent makes a mistake they lose there child, these people make a mistake they lose a few pennies which you and I end up paying for. Bottom line we pay for there mistakes as well as our own. Sadly though the only outcome from this will be some unqualified imported skill set demanding a iPad so they can be percieved to not be doing there job more effeciently.
I don't want to read about a fine, I want to see somebodies head roll - were is the head, show me the head!
“In so many cases these incidents are the result of carelessness and lack of thought rather than any malicious intention,"
Reminds me of the old adage: Never ascribe to malice that which is adequately explained by stupidity.
Maybe if the ICO started fining local authorities for hiring stupid and untrainable people...
Sack whoever was responsible for compliance
Presumably after the first incident someone was given the job of improving compliance. They are the person who should now be sacked.
Look, it is a bit like this ...
While Councils usually have contingencies set aside it tends to be gloat money.
If people can get through the financial year increasing the gloat fund then all is well.
The trouble is that Councillors tend to be se spineless really.
Rather than starting meetings on lines of:
What are you doing in my name that might get me into trouble or bring disrepute to the Council
it tends to be
How will my Churchillian speech on dog muck at local park go down? I bet Winston would be proud of me and wish he had thought of it first?
Ans: scrap TUPE, scrap salaried wages and all posts (as in ALL) to be clock-in, clock-out
- Comment Renewable energy 'simply WON'T WORK': Top Google engineers
- Useless 'computer engineer' Barbie FIRED in three-way fsck row
- Game Theory Dragon Age Inquisition: Our chief weapons are...
- 'How a censorious and moralistic blogger ruined my evening'
- Amazon warming up 'cheapo web video' cannon to SINK Netflix