UK data privacy watchdogs have fined Aberdeen City Council £100,000 after a council employee published vulnerable children's details online. The sensitive social services information was released after a council worker accessed documents, including meeting minutes and detailed reports, from her home computer. A file-transfer …
Checking our policies now.
I hate seeing:
Data Protection Policy - homeworking: refer to the HR Homeworking policy
Homeworking Policy - refer to the Data Protection Policy.
No ambiguity there.
And having found such an incorrect policy, did you just laught at the stupidity of it, or also drop an email to the IT director? If you only did the former then you're part of the problem (and possibly legally liable as such).
And if you did the latter you're now on the shit list for pointing out a major problem without a cost-free, effortless solution. (And, worse still, implicitly criticizing the senior people who set up the existing system).
Which is why companies should be required to have whistle blowing policies (although if they can't get the Data Protection and Homeworking policies in place, they don't stand much chance of getting a whistle blowing policy that is considered safe).
Astonishing. You find an error in an IT policy, probably due to a misunderstanding or unclear goals when it was drawn up, and you want whistleblower protection against ending up on a "shit list"?! Do you still put your hand up and ask your boss for permission when you need to go for a piss as well?
"Do you still put your hand up and ask your boss for permission when you need to go for a piss as well?"
Only if I think it will go down as a black mark on my zapiska if I don't.
The title is incorrect
"Scots council cops £100K fine for spaffing vulnerable kids' data ONLINE"
"Scots council tax payers cop £100K fine for spaffing vulnerable kids' data ONLINE"
Were the managers who had failed to put the policies in place (or block home-working) fired?
So nothing will change.
Re: The title is incorrect
Given the amount of debt Aberdeen council are in, I wouldn't worry about it.
What does fining Aberdeen City Council achieve?
I assume it means moving some tax payers' money from one government department to another. The audit is a start, but that can only identify problems. There needs to be an incentive and a budget to fix them.
Any chance of digging a bit and find out some technical detail?
I'm struggling to see what sequence of events would get documents from work to be auto-magically published publicly online?
Is it a dropbox 'feature' I'm not aware of?
Some facebook thing?
Some sort of shared folder Limewire fail?
So they didnt have a policy/process for home working. Does that mean she just email stuff to her home account? Or do they have homeworking solution, just badly implemented?
Re: Technical Detail
She was using a second hand machine. The FTP Auto-uploader was a present left behind (accidentally or deliberately) by the previous owner.
She probably took the stuff home on an encrypted usb stick with the blessing of her manager, coz that's secure innit?
That blessing evaporating as soon as an investigation started.
I would like to know if the 'Council Employee' actually was a direct employee of the council. In my experience, a lot of council employees are actually employees of companies like Capita and others who do everything they can in the name of profit not to spend valuable profits in training their staff.
They will send round little notes or booklets of guidelines that staff have to sign to say they have read the regulations affecting their work and that is about as close as they get to real training, possibly councils too, are afflicted with the money saving booklet idea instead of using professional trainers to help produce professional staff.
Size of fine is immaterial
it'll only get overturned
Follow the money
So local government or the NHS who get money from central government to provide services (and some from local people, who also give the money to central government so they can give it to the others) have to give some money to central government. will central government now need to hand that money back so that the local government and NHS can afford the fines they need to pay to central government?
from a turnover point of view :-
CG > Grant > LG £500k
LG > Fined > CG £500k
CG > Loans > LG £500k
LG > Repayment > CG £?
so for £500k moving round a turnover of at least £1.5Million sweet
Going by experiences of the wife....
...then it was probably done as the "remote access" systems consist of asking someone in the office to email you it in a Hotmail account.
Hint, wife had to put up 8 days downtime to the entire office (40 people) due to a single failed part on a single server.
Take USB pen, walk 20 minutes, copy said files. Walk back. Amened files. Repeat.
This will continue to happen until we start seeing staff being personally held responsible for this and seeing it published - was this staff member sacked from gross negligence ? Was their department sticking to any agreed mandatory training for staff? If not why not?
People need to start losing their jobs for this sort of thing, but it rarely happens and usually involves some deal for them to leave with a golden handshake.
Was the user aware of the file transfer program?
Should they have been?
Should a case worker have done a security audit of a machine supplied by the council?
In my experience it's likely that the staff member was put under pressure to get the work done, but given insufficient time in the office to do it and absolutely no support to make sure that the data was secure at home, partly because the people above will not have wanted to know staff were working at home.
Management will have made very sure that they had no idea what was going on and just expected outcomes to materialise.
Seems like Aberdeen is in dire need of a new Council
So this time it's vulnerable children's details posted online. I'm sure the kids needed that.
Last year, it was Moccasin Creek.
But hey, no problem really. After all, £100,000 is just 9 days of bus lane penalty fines, apparently.
private sector rarely has really sensitive personal data hence public sector over represented in data protection breaches. still inexcusable though.
"The fine against Aberdeen is further evidence that there's a poor data security culture in local government that appears to be deeply ingrained. ®"
Absolute nonsense. I'm a private sector consultant, with my time split about half and half between public and private work. Both sectors are as bad as each other. The difference is the public sector are more likely to report breaches because there's no risk of them triggering punitive contract terms or suffering damage from losing ISO27k as they're the sole, public provider of their service. On the rare occasion the private sector do report their own breaches they usually throw lawyers at the problem until it goes away - ICO don't have the resources to fight such cases, just like public sector bodies don't have the resources to sue ICO to make their cases go away. Further, private bodies rarely handle sensitive information on the same kind of scale as public bodies, so when those rarely-reported, often-contested breaches do occur, they're of a lesser magnitude anyway.
Social Workers not very good at IT Security
Pope not protestant
Bears fail to use public conveniences
Politicians fail to own up to relationships with certain young women
Public sector technology has overtaken public sector education.