back to article Council not fined after 7,200 sensitive files dumped in skip

Southwark council breached the Data Protection Act after it left an unencrypted computer and papers containing sensitive information on 7,200 people in one of its buildings when it was vacated, which were then disposed of by the building's new tenant, the Information Commissioner's Office (ICO) has said. The local authority …

COMMENTS

This topic is closed for new posts.
  1. Dodgy Geezer Silver badge

    Optional? why is it Optional?...

    "Council not fined after 7,200 sensitive files dumped in skip"

    What would be the point? Nobody in the council would be touched by a fine. And they would just take more money from the taxpayer to make up for the loss.

    Government is out of control and above the law....

    1. The Cube
      Thumb Up

      Absolutely

      The pointless pencil pushing waste of taxpayers money responsible should be fined and then fired for being a waste of oxygen. Wasting even more taxpayer's money paying a tiny fine which will in no way impede the bovine blunderer in their career plan of leeching off society for another 10 years before retiring early at our expense is doubly pointless.

      We need a smarter incentive scheme for the vermin that infest our government and council services. Perhaps when they are caught out breaking the law they should be placed in stocks outside the town hall so that the people whose lives they have made a misery with their tinpot hitler act can pelt them with rotten fruit for a few days. I can think of more than a few home secretaries that should have spent a month on the lawn opposite Westminster allowing the people to pay them back for their service to the country....

      We are tired of these parasites behaving as if they are above the law and getting away with it, perhaps setting up a few guillotines in town squares might serve as a warning to them?

      1. N2

        It pains me to say

        The bovine blunderer, instead of being sent to the scaffold

        has probably been promoted

  2. DaWolf

    I've worked in both private and public.

    People complain about the costs of government, especially IT. One of the reasons is that all the extra paperwork etc involved in trying to keep things secure costs a lot of extra money and time.

    One laptop went missing? Councils use millions of them, and ONE went missing.

    One book went missing, from a locked room?

    Whilst neither situation is good, we need to get this into perspective: when you have millions of employees, and millions of laptops, and tens of millions of other documents, it is beyond the wit of man to protect everything. The closer you get to protecting everything, the more costs rise.

    1. Spoonsinger

      Re:- I've worked in both private and public. bla, bla, bla

      Likewise, but I've never lost a laptop, phone or memory stick. So it can be within "the wit of man", to actually protect/take care of those things provided by the employer/client in the course of their employment.

    2. Medium Dave
      FAIL

      Southwark council do not have millions of employees.

      According to Datablog, the FTE count was 4500 as of February. Asset tracking these sorts of numbers is not "beyond the wit of man": You could do it in a spreadsheet, a quick'n'dirty database, or - if somebody's thrown your PC into a skip - a pencil.

      You'll notice, by the way, that this number is considerably smaller than the number of constituents they chucked the details for.

      According to ZDNet, the machine in question had been lost in a cupboard since *2003*, so god knows when they last did a proper audit.

      1. DaWolf

        @Medium Dave

        councils - the clue is in the s, which is a plural.

        From this you may deduce that I was not just referring to Southwark Council.

    3. Anonymous Coward
      Anonymous Coward

      Excuses, excuses.

      You're quite right that it's a losing game; there's bloody millions of all those sensitive things, ensuring some will be misplaced, go missing, get lost, stolen, sold, whatever. And with all that fancy data processing equipment it's become so easy, so efficient, that a good solid breach will hurt like never before.

      And I'll buy your argument that all the paperwork is just that cumbersome. If good old paperwork isn't good enough --and it isn't because we've just replaced it with that computer-y stuff, which is "better" including at making data go walkies-- then we need to find new models of securing. But does that mean we just have to accept losses? Heck no. All that really only means we have our work cut out for us. Starting with workflows that handle data in such a way that even if you lose it or it gets stolen, it's no good to anyone else.

      Of course, this is a whole new kettle of fish and one we haven't figured it out yet. Councils and government in general will have a whale of a time because they're normally quite behind the curve and are quite used to their hundreds of years old ways of working -- entirely paper based. But then again, government is also what makes things happen that we need but individuals or companies cannot or will not. And, well, it's increasingly obvious we need to massively revamp our personally-sensitive data related workflows to ensure security and privacy both; simply mapping from physical desktop to desktop methaphors isn't quite making the grade. So maybe government should make serious work of carrying the can in this.

    4. Anonymous Coward
      Anonymous Coward

      I disagree. With properly-designed systems it should be impossible to have unencrypted data in anything but a very temporary buffer on the worker's machine. And for the sort of money the public stumps up for these systems; that's damned well what we should be seeing.

    5. Anonymous Coward
      Anonymous Coward

      Excuses Excuses....

      ...: when you have millions of employees, and millions of laptops, and tens of millions of other documents.

      Well apart from the councild doesn't in fact it's about the same size as our business.

      All our devices run full disk encryption

      All removable devices are automatically encyrpted (including phones). Any storage device attached to a pc that can't be encrypted is denied installation.

      All paper work is shredded regardless of sensitivty.

      So not that hard really is it...

      1. Anonymous Coward
        Anonymous Coward

        sadly

        you are in the minority.

        I presumed the PC in question was a desktop (not laptop) and the vast majority of organisations do not encrypt desktops (as physical security measures are deemed sufficient to protect the data). Personally, as an InfoSec Consultant I often (if not always) recommend full encryption of all desktops too, to eliminate scenarios like this (and to make decommissioning/destruction let risky). But the business almost always deem it an unnecessary control.

        1. Anonymous Coward
          Anonymous Coward

          "an unnecessary control"

          There's something to be said for that logic: Over the lifetime of the box you're spending a lot of cycles on the encryption (and man-hours on the support of yet another layer of complexity) just so disposing is a mite easier. It does seem a bit lopsided, no?

          So the obvious calculation is to dispense with that. Disposing now must include removing the drive, of course. Wiping it would be good enough but people forget, easier and simpler to check is to just take the drive out and hand it to some suitable outfit to wipe the things, and/or dispose of them. Just make sure (in writing) that along with the drives they also take the blame.

          Of course paying someone to take the blame isn't a real solution but that's how privacy works, or doesn't work, the way it is set up now.

          Or you could try something along the lines of thin clients or boot-only drives (couple GB flash devices would be enough) with exactly no user permissions, and keep all the non-system data on servers elsewhere, to be cared for by qualified personnel. Not a bad idea given how drive prices are currently going through the roof, anyway.

  3. Richard IV

    Unless and until a Data Controller is personally held liable and nigh on bankrupted by a fine for something like this, nothing will change.

    1. Anonymous Coward
      Anonymous Coward

      If bankruptcy of a Data Controller...

      ... is on the cards, then expect no-one to take the job.

      It's that simple. The moment a job has criminal consequences, that are actively enforced, that job will be impossible to fill unless filled using some kind of conscription method.

      100% compliancy is a myth, Unless you have armed guards with orders to shoot to kill, there's nothing you can do to stop an employee carrying out a filing cabinet using a wheelbarrow, or a group of employees from wheeling out your racks of servers into the carparks, where they then load the servers into their cars to take home and sell on ebay.

      All the procedures in the world wont stop an employee smuggling in a camera in his boxer shorts (or panties if he's that way inclined).

      The current data laws are stupid. If someone drives an 18 wheel truck through my local doctors clinic, and snatches up a PC or two before he drives through the outbound wall, or picks up a couple of lever-arch files, the Data-Controller is (according to the law) responsible for the loss. Encryption is irrelevant because you cant prove a negative, i.e. prove that the data hasn't been de-crypted by the HGV driving thief. And last time I consulted at a health center, I saw several rooms containing racks full of paper-based medical records.

      You have no privacy. Get over it.

      *Posted AC for irony's sake.

      1. Joe 3
        Stop

        @AC, 22:35

        Well, gas installers can be (and have been) sent to prison for failing to do their job properly, and as far as I'm aware there's no conscription in place for that job!

        (Of course, gas and data are different beasts...)

        1. Anonymous Coward
          Flame

          @Joe 3

          That would be because people have a habit of dying in blowy-uppy things when gas installations go wrong.

          1. Anonymous Coward
            Anonymous Coward

            @jubbles

            "That would be because people have a habit of dying in blowy-uppy things when gas installations go wrong."

            And nobody's life gets ruined if their identity is stolen...

      2. Richard IV

        @AC 22:35

        You've deliberately conflated "something like this" with "absolutely all".

        Of course total prevention of data loss is an impossibility. What's important is knowing where and what data is stored. As is taking reasonable steps to secure it. Failure to comply with this is what Data Controllers should be lying awake at night over. This is the area I meant by "something like this" for swingeing fines.

        Not preventing the ram raid is OK, not knowing that a PC or files were taken in it isn't.

        Nor is not knowing that data that you were in control of was in a building that your organisation was vacating, or failing to ensure that the building was emptied of said data.

  4. Woodnag

    Councils keep details of criminal history?

    "The information stored on the computer and the papers included details of ... any past criminal convictions".

    Councils keep details of criminal history? Er, why? And if so, doesn't that come under (presumably stricter) misuse of police data law?

    1. Anonymous Coward
      Anonymous Coward

      Sure does

      1. Yes.

      2. Think child protection, social services, schools\teachers, benefits fraud, adoption agencies etc. As well as loads of CRB checks for staff themselves.

      3. Was the data being misused? See point 2 for valid use examples and reasons for processing. There are lots of potential compliance/NDA/Policy/Information Exchange agreement breaches in this (as well as DPA) but I'm not sure that misuse is on the list anywhere. Nobody is accusing the council of misusing the information - but that they didn't protect it well enough.

      Sorry of that isn't what you wanted to hear.

  5. Yet Another Anonymous coward Silver badge

    @Absolutely

    Sensible policies for a fairer Britain!

  6. Sean Baggaley 1

    Surely the best solution for the lost computer scenario...

    ... is to use thin clients instead?

    A nationwide "cloud" setup is probably not a good idea, but having a cloud for each council could work. Coupled with suitable thin-client software, this would eliminate the problem of missing computers as said computers would never have the data stored locally in the first place.

    Of course, this does place all the council's data eggs in a single, convenient, basket.

    Bugger.

  7. Graham Marsden
    Coat

    The book which should have been stored in a locked cabinet...

    ... in a disused lavatory with a sign on the door saying "Beware of the Leopard"?

  8. Woodnag

    ...why is no-one asking why

    "The information stored on the computer and the papers included details of ... any past criminal convictions".

    Councils keep details of criminal history? Er, why? And if so, doesn't that come under (presumably stricter) misuse of police data law?

  9. All names Taken

    Hmmm

    "Southwark council has committed to putting changes in place and we look forward to completing an audit next year to help them to identify further improvements."

    Was the spokesperson's hand doing rapid toing and froing actions about the groin region about the same time?

    Expect a non-apology along lines of: we handle X units of confidential information of which the loss or improper release of 7,200 makes an error factor of about 0.000000000000000001%.

    I am sure that el reg readers will acknowledge that this is a very small percentage and is on par with similar sized public sector organisations holding similar amounts of confidential information.

    Why is is that it is only the Tories who are prepared to say: public sector sloppiness has been tolerated for far too long!?

  10. Anonymous Coward
    Anonymous Coward

    ICO

    Chocolate meet Fireguard

  11. John Sturdy
    FAIL

    Southwark council may have committed to putting changes in place, but what good will that do when they're such muppets as to have made this kind of mistake in the first place?

  12. Anonymous Coward
    Anonymous Coward

    What about..

    The Register's personal data leak?

    How's that fine coming along?

This topic is closed for new posts.

Other stories you might like