Feeds

back to article Council fined £70k after burglars nick vulnerable kids' files

The UK's privacy watchdog has fined the London Borough of Barnet £70k ($111k) after the local authority lost extremely sensitive information about young children for the second time in two years. The latest loss occurred when a social worker took paper records home to work on them out of office hours. The staffer’s home was …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Barnet Council

Tax payers fined £70K for council's data breach.

Council head Social services worker commented "at least it hasnt cost us anything, we'll carry on as normal"

19
0
Silver badge

Re: Barnet Council

These "punishments" won't have any effect until they start docking the wages of councillors and Chief Execs to pay them.

11
0
Bronze badge

Re: Barnet Council

I doubt even that will work. With no impact on the staff who cause the problem, how will things change? It should be a disciplinary black mark at best, maybe even a sacking - might motivate others moving forward?

0
0
Silver badge

Re: Barnet Council

It works because the people at the top, who should be making sure that these "mistakes" don't happen through appropriate leadership and management, are completely isolated from any consequences. If the people at the top - particularly the chief execs - feel the pain caused by the inefficiencies and lack of competence of their employees they will make damn sure that they start doing their job properly.

4
0
Anonymous Coward

Re: Barnet Council

The question that noone seems to be asking is why they had to take these files home to work on them in the first place. I know several social workers and my bet is that they are so snowed under that they had to take work home with them to try to keep up with all their targets (usually set by people at the top who couldn't do the job for which they are setting targets and thus have no clue how achieveable they actually are) .

Perhaps if councils actually paid attention to their own case load limits (my mother, for example, has had to handle case loads 3 times the recommended maximum) and hired more people to cover the cases, rather than relying on people taking the extra work home with them, case files wouldn't be leaving the building and ending up at workers' houses in the first place. But that would cost money of course. Oh, and you'd need to persuade people that taking on the shitty job that is social work is a worthwhile career move.

6
0
Anonymous Coward

Re: Barnet Council

Perhaps if the idiots who keep taking work home and keep working far more hours than they are contracted to stopped doing so the work wouldn't get done and then it would be noticed that they need more staff and/or the targets are not sensible. You cannot complain about work load if you just accept it. Make a noise.

0
1
Anonymous Coward

Re: Barnet Council

And if they don't get done, the cases collapse, they get struck off the registration and then become unemployable.

Don't believe it , look at Baby P. Many people could name the evil Head of Social Services and the Social Workers, but very few could name the killers.

Yup what a fucked up world we live in.

Most social workers utterly refuse to work in child protection due to the extreme pressures they are under (see how many go off work due to stress).

maybe if ass hats stop looking at the one case where they failed and the 10,000 they succeed in, then maybe more people would want to do the job, but for several years at Uni and for £30k a year would you risk being punched, kicked, overworked or hounded in the press ( or by dickheads on forums)

I wouldn't.

0
0
Anonymous Coward

Hold on

Someone stole paedo files?

6
0
Bronze badge

Work away from office

OK, so social workers who visit families have to take some records with them when they visit. If they visit more than one family they might have a number of records with them at any one time. What happens if they get robbed during such a day? Should all such data be always held on encrypted laptops with encrypted memory sticks.

What about the families themselves if they hold copies of such records. What happens if they get burgled. Does the council get fined for this incident too?

1
6

Re: Work away from office

There is no practical reason why records cannot be stored in electronic form on a laptop or on an encrypted USB drive.

As to the records in possession of the families, those are the familes' copies and therefore the familes' responsibility to protect.

3
0

Re: Work away from office

a laptop with a TPM chip (fairly standard nowadays) and running bitlocker to keep the contents of the drive secure. Strong password and/or two factor auth for login. It's not difficult.

if they don't want that level of complexity and can assume a decent data connection then do everything via a citrix or RDP connection from a minimal spec laptop that never has any data on it

once again... taxpayers fined because jobsworths don't do theirs.

5
0

Re: Work away from office

"Should all such data be always held on encrypted laptops with encrypted memory sticks."

Well, yes.

3
0
Bronze badge

Re: Work away from office

Given that schools are now starting to deploy TrueCrypt on staff laptops that go off-site, it's hardly a burden.

Instead of just turning the machine on, you type in a password for the drive. It then boots. End of story. Without the password, the laptop data is useless.

Cost: £0.

Performance loss: Negligible

Security: Virtually perfect (as perfect as you can get when people have to memorise passphrases, or carry two-factor authentication sticks at least)

Liability when something is stolen: £0.

Hassle to the end user: "Enter your password" (which they would have had to do to print out that data anyway!)

3
0
Anonymous Coward

Re: Work away from office

I work for an organisation that works with sensative data too. We've worked round this problem in our area by not taking the actual data out of the office ever, whilst making it availiable to vising officers.

How do we do this? With ease.

Our visiting officers take a laptop with them. The laptop has a sim card in it. The visiting officer uses this to connect to our SSL VPN network, does the work that they need to in the customers house, accessing all of the systems that they have in the office over the end to end encrypted connection. When they've finished, they log out of the service, and shut down the laptop.

Nothing that they've done whilst out of the office is ever on the laptop. The laptop is secured with a username/password that is tied to our network as wall, but there's no sensative data on it ever anyway, so even if it is stolen, there's no issue. Quite why other organisations like ours can't manage this too I really don't know.

If anyone can spot any problems with our setup, I'd love to hear them, always willing to learn, and inprove.

3
1
Bronze badge
Facepalm

Re: Work away from office

@Lee Dowling - Hassle to the end user: "Enter your password"?

None, they'll just write it out on a bloody post-it note and stick to the screen on the fricking laptop!

1
0
Bronze badge

Re: Work away from office

And then you sack them, just as you would if they revealed that password to someone else, or left their papers on the train.

Why people are afraid of enforcing IT policy, I don't know.

1
0
Anonymous Coward

Re: Work away from office

I work for a council supporting the social care dept and we tried this last year. Ever tried getting a reliable 3G connection inside someone's house, residential home, hospital ward etc in a provincial town? You can, but it's very, very patchy, resulting in lost data, appointments abandoned half way through, or info just copied onto paper anyway and typed up later. And that was just accessing a secure website - trying to get a Citrix connection was an unpleasant joke in half the locations tested.

So we're having to develop an offline app that will hold any data needed (on an encrypted device, obviously) and then upload/download whenever it next gets a usable connection.

Roaming is fine if you roam to a set of definable locations where you can be sure you'll be able to connect (e.g. home, another office, cafe etc). It's not so great for having to go anywhere, wherever the work takes you.

3
0
Silver badge

Fines for companies do not work, fines for individuals do.

Rather than fining the councel for the loss which really doesn't affect them, they should have worked out the total fine, and split it between the responsible parties.

If I were to cock up and my company was fined iuno, 70k I couldn't give two shits. If I cock up, and I was fined 2k, as well as the management who should have put stuff in order to stop me from causing the offence then I'd think "oh shiz"

4
0
Silver badge
Stop

People missing the point here ?

The laptop WAS encrypted. It was the paper printouts that were stolen.

2
0
Silver badge
Stop

Re: People missing the point here ?

The real debating point here, is (a) why the employee was allowed to take sensitive *paper* documents out of the building (which is presumably classified as "secure") and how they were allowed to take them to a private address, where a partner, child, visitor could have had sight of them.

I am a massive fan of working from home (do it myself), but it really needs carefully policing where sensitive data is concerned.

What concerns me most, about these LA data breaches, is how we NEVER hear anything afterwards. Was anyone whose data was leaked affected ?

3
0
Anonymous Coward

What I'd like to know is when will the ICO get around to fining 3 and Vodafone for sharing the acitivty of their customers online with Bluecoat without the knowledge or consent of those customers?

5
0

I think they are only allowed to go for soft govt targets.

A private company would probably tell them to F off

1
0
Anonymous Coward

@mark 63

One of the people I follow on Twitter tweeted that he was told by ICO staff that the commissioner did not want a battle with Google. It's hardly surprising I suppose when you see that sort of attitude being displayed that you end up with a regulator that never seems to enforce the law where the private sector is concerned. It's still a pity though (and awfully convenient for them that they have a case management system that doesn't take the type of organisation into account - thus making retreiving statistics on past cases virtually impossible).

0
0

This post has been deleted by its author

Anonymous Coward

Why was a local authority keeping records of childrens "sexual activity", in fact, how were they even getting details of said "sexual activity"?

0
1
Anonymous Coward

Allegations and/or proof of sexual abuse perhaps?

2
0
Rob
Bronze badge

Could be under-age kids that are involved in gangs and required/pressurised into performing sexual acts, there's a number of horrible scenarios out there as to why this sort of information is on file. It's probably best to stick to questioning why the Council is so shit at data security and who should take the blame within that Local Authority.

1
0

Money from one pot to another

Give the council a fine does nothing to help the situation, it makes it worse. Why not say your fine is £70k now spend that on improving your security instead of lining our pockets.

1
0
Childcatcher

Fining the public sector doesn't work.

Sacking incomptent civil servants does work.

So what does the ICO do?

3
0

Re: Fining the public sector doesn't work.

How would "Sacking incomptent civil servants" (sic) affect a local authority?

1
0
SB
IT Angle

harsh

the laptop was encrypted. the paper files were stolen from someone's house, after they printed them out. I guess the only solution is advise people to stop printing sensitive documents at home.

And : "how were they even getting details of said "sexual activity"?"

A social worker probably just asked them, whats the big deal. I think most IT bods would be amazed how hard it is actually doing a proper job (eg being a social work).

1
0
Anonymous Coward

Security being compromised due to cutbacks

I have to post anon because I am connected to people in the social work department in my local authority area, and they paint a very worrying picture of what is happening due to cutbacks.

The local authority discovered that they can reduce costs by reducing office space and making employees share work spaces. This has been termed 'hot desk', currently in my area there is up-to 5 staff members sharing the same desk, due to limited time and access, social work staff are now being required to take their case work home and complete any reports at home (non paid work). This includes taking digital files and hard copies home.

Additionally, since they have reduced office space, they have also removed secure storage facilities, and each social worker is now responsible for storing any hard copies themselves.

One staff member shared with me that they keep their case files in the car. When they get home they wait until it's dark and sneak the files into their home where they keep them locked up. Everyday they have to take the files back to the office, but since there is not enough storage space, the sensitive reports follow them wherever they go.

The local authority will not address the issue as they are being required to make the cuts, and the worry for most of the social work staff, is that if the files get lost or stolen, they will be the scapegoats, even though the decisions made by the local authority (and Government) has forced the staff to work in such a haphazard manner.

It will be only a matter of time, before more cases like this emerge, but unfortunately the social workers cannot speak out to highlight the issues in fear of losing their jobs.

2
0

Re: Security being compromised due to cutbacks

Write to the ICO with documentation of your allegations then and ask that they keep your identity confidential. You'll be protected under whistleblower legislation.

3
0
Anonymous Coward

Re: Security being compromised due to cutbacks

Thanks for the info. I'll look into it.

0
0
Gold badge
WTF?

Hold on. Computer files *and* hard copy.

I've worked in small companies that have this sort of thinking.

From the article.

"when a social worker *took* paper records home to work on them out of office hours"

Usually a sign of senior management being clueless. On the kind of money senior council management posts get there is *no* excuse for being this ignorant.

It's called *data* management for a reason. As in *all* data.

Not "file* management. Not "computer" management.

Quick & dirty solution. Scan *all* documents in and save to TrueCrypt locked hard drive.

0
0
Gold badge
Unhappy

*no* change until senior people get fined/fired/jailed.

Everything else is BS.

0
0
This topic is closed for new posts.