Feeds

back to article Scots council cops £100K fine for spaffing vulnerable kids' data ONLINE

UK data privacy watchdogs have fined Aberdeen City Council £100,000 after a council employee published vulnerable children's details online. The sensitive social services information was released after a council worker accessed documents, including meeting minutes and detailed reports, from her home computer. A file-transfer …

COMMENTS

This topic is closed for new posts.
Unhappy

Policies?

Checking our policies now.

I hate seeing:

Data Protection Policy - homeworking: refer to the HR Homeworking policy

Homeworking Policy - refer to the Data Protection Policy.

No ambiguity there.

6
0
Silver badge

Re: Policies?

And having found such an incorrect policy, did you just laught at the stupidity of it, or also drop an email to the IT director? If you only did the former then you're part of the problem (and possibly legally liable as such).

1
3
Silver badge

Re: Policies?

And if you did the latter you're now on the shit list for pointing out a major problem without a cost-free, effortless solution. (And, worse still, implicitly criticizing the senior people who set up the existing system).

13
2

This post has been deleted by its author

Silver badge

Re: Policies?

Which is why companies should be required to have whistle blowing policies (although if they can't get the Data Protection and Homeworking policies in place, they don't stand much chance of getting a whistle blowing policy that is considered safe).

1
1
Silver badge
WTF?

Re: Policies?

Astonishing. You find an error in an IT policy, probably due to a misunderstanding or unclear goals when it was drawn up, and you want whistleblower protection against ending up on a "shit list"?! Do you still put your hand up and ask your boss for permission when you need to go for a piss as well?

2
2
Silver badge

Re: Policies?

"Do you still put your hand up and ask your boss for permission when you need to go for a piss as well?"

Only if I think it will go down as a black mark on my zapiska if I don't.

0
1
Silver badge

The title is incorrect

"Scots council cops £100K fine for spaffing vulnerable kids' data ONLINE"

Should read

"Scots council tax payers cop £100K fine for spaffing vulnerable kids' data ONLINE"

Were the managers who had failed to put the policies in place (or block home-working) fired?

No.

So nothing will change.

13
1
Anonymous Coward

Re: The title is incorrect

Given the amount of debt Aberdeen council are in, I wouldn't worry about it.

1
0
Silver badge

What does fining Aberdeen City Council achieve?

I assume it means moving some tax payers' money from one government department to another. The audit is a start, but that can only identify problems. There needs to be an incentive and a budget to fix them.

3
0

Technical Detail

Any chance of digging a bit and find out some technical detail?

I'm struggling to see what sequence of events would get documents from work to be auto-magically published publicly online?

Is it a dropbox 'feature' I'm not aware of?

Some facebook thing?

iCloud?

Some sort of shared folder Limewire fail?

So they didnt have a policy/process for home working. Does that mean she just email stuff to her home account? Or do they have homeworking solution, just badly implemented?

4
0
FAIL

Re: Technical Detail

She was using a second hand machine. The FTP Auto-uploader was a present left behind (accidentally or deliberately) by the previous owner.

She probably took the stuff home on an encrypted usb stick with the blessing of her manager, coz that's secure innit?

That blessing evaporating as soon as an investigation started.

1
0
Bronze badge

CCT?

I would like to know if the 'Council Employee' actually was a direct employee of the council. In my experience, a lot of council employees are actually employees of companies like Capita and others who do everything they can in the name of profit not to spend valuable profits in training their staff.

They will send round little notes or booklets of guidelines that staff have to sign to say they have read the regulations affecting their work and that is about as close as they get to real training, possibly councils too, are afflicted with the money saving booklet idea instead of using professional trainers to help produce professional staff.

3
0
Anonymous Coward

Size of fine is immaterial

it'll only get overturned

http://www.theregister.co.uk/2013/08/28/ico_wrong_to_serve_local_authority_with_data_breach_fine_tribunal_rules/

1
0
Anonymous Coward

Follow the money

So local government or the NHS who get money from central government to provide services (and some from local people, who also give the money to central government so they can give it to the others) have to give some money to central government. will central government now need to hand that money back so that the local government and NHS can afford the fines they need to pay to central government?

from a turnover point of view :-

CG > Grant > LG £500k

LG > Fined > CG £500k

CG > Loans > LG £500k

LG > Repayment > CG £?

so for £500k moving round a turnover of at least £1.5Million sweet

1
0
Anonymous Coward

Going by experiences of the wife....

...then it was probably done as the "remote access" systems consist of asking someone in the office to email you it in a Hotmail account.

Hint, wife had to put up 8 days downtime to the entire office (40 people) due to a single failed part on a single server.

The "fix"?

Take USB pen, walk 20 minutes, copy said files. Walk back. Amened files. Repeat.

0
0

This will continue to happen until we start seeing staff being personally held responsible for this and seeing it published - was this staff member sacked from gross negligence ? Was their department sticking to any agreed mandatory training for staff? If not why not?

People need to start losing their jobs for this sort of thing, but it rarely happens and usually involves some deal for them to leave with a golden handshake.

2
2
Silver badge

Was the user aware of the file transfer program?

Should they have been?

Should a case worker have done a security audit of a machine supplied by the council?

0
0
Anonymous Coward

Buck passing

In my experience it's likely that the staff member was put under pressure to get the work done, but given insufficient time in the office to do it and absolutely no support to make sure that the data was secure at home, partly because the people above will not have wanted to know staff were working at home.

Management will have made very sure that they had no idea what was going on and just expected outcomes to materialise.

5
0
Silver badge

Seems like Aberdeen is in dire need of a new Council

So this time it's vulnerable children's details posted online. I'm sure the kids needed that.

Last year, it was Moccasin Creek.

Trouble was brewing before though, and some local citizen tried to do something about it in 2011. Maybe she was unhappy about this.

But hey, no problem really. After all, £100,000 is just 9 days of bus lane penalty fines, apparently.

0
0
Bronze badge

other news

private sector rarely has really sensitive personal data hence public sector over represented in data protection breaches. still inexcusable though.

0
0
Anonymous Coward

"The fine against Aberdeen is further evidence that there's a poor data security culture in local government that appears to be deeply ingrained. ®"

Absolute nonsense. I'm a private sector consultant, with my time split about half and half between public and private work. Both sectors are as bad as each other. The difference is the public sector are more likely to report breaches because there's no risk of them triggering punitive contract terms or suffering damage from losing ISO27k as they're the sole, public provider of their service. On the rare occasion the private sector do report their own breaches they usually throw lawyers at the problem until it goes away - ICO don't have the resources to fight such cases, just like public sector bodies don't have the resources to sue ICO to make their cases go away. Further, private bodies rarely handle sensitive information on the same kind of scale as public bodies, so when those rarely-reported, often-contested breaches do occur, they're of a lesser magnitude anyway.

3
0

Social Workers not very good at IT Security

Pope not protestant

Bears fail to use public conveniences

Politicians fail to own up to relationships with certain young women

0
0
Anonymous Coward

Simples..

Public sector technology has overtaken public sector education.

0
0
This topic is closed for new posts.