back to article Scots council cops £100K fine for spaffing vulnerable kids' data ONLINE

UK data privacy watchdogs have fined Aberdeen City Council £100,000 after a council employee published vulnerable children's details online. The sensitive social services information was released after a council worker accessed documents, including meeting minutes and detailed reports, from her home computer. A file-transfer …

COMMENTS

This topic is closed for new posts.
  1. Alfred 2
    Unhappy

    Policies?

    Checking our policies now.

    I hate seeing:

    Data Protection Policy - homeworking: refer to the HR Homeworking policy

    Homeworking Policy - refer to the Data Protection Policy.

    No ambiguity there.

    1. Phil O'Sophical Silver badge

      Re: Policies?

      And having found such an incorrect policy, did you just laught at the stupidity of it, or also drop an email to the IT director? If you only did the former then you're part of the problem (and possibly legally liable as such).

      1. Anonymous Coward
        Anonymous Coward

        Re: Policies?

        And if you did the latter you're now on the shit list for pointing out a major problem without a cost-free, effortless solution. (And, worse still, implicitly criticizing the senior people who set up the existing system).

        1. This post has been deleted by its author

        2. Velv

          Re: Policies?

          Which is why companies should be required to have whistle blowing policies (although if they can't get the Data Protection and Homeworking policies in place, they don't stand much chance of getting a whistle blowing policy that is considered safe).

          1. Phil O'Sophical Silver badge
            WTF?

            Re: Policies?

            Astonishing. You find an error in an IT policy, probably due to a misunderstanding or unclear goals when it was drawn up, and you want whistleblower protection against ending up on a "shit list"?! Do you still put your hand up and ask your boss for permission when you need to go for a piss as well?

            1. Anonymous Coward
              Anonymous Coward

              Re: Policies?

              "Do you still put your hand up and ask your boss for permission when you need to go for a piss as well?"

              Only if I think it will go down as a black mark on my zapiska if I don't.

  2. The BigYin

    The title is incorrect

    "Scots council cops £100K fine for spaffing vulnerable kids' data ONLINE"

    Should read

    "Scots council tax payers cop £100K fine for spaffing vulnerable kids' data ONLINE"

    Were the managers who had failed to put the policies in place (or block home-working) fired?

    No.

    So nothing will change.

    1. Anonymous Coward
      Anonymous Coward

      Re: The title is incorrect

      Given the amount of debt Aberdeen council are in, I wouldn't worry about it.

  3. Flocke Kroes Silver badge

    What does fining Aberdeen City Council achieve?

    I assume it means moving some tax payers' money from one government department to another. The audit is a start, but that can only identify problems. There needs to be an incentive and a budget to fix them.

  4. Ian 62

    Technical Detail

    Any chance of digging a bit and find out some technical detail?

    I'm struggling to see what sequence of events would get documents from work to be auto-magically published publicly online?

    Is it a dropbox 'feature' I'm not aware of?

    Some facebook thing?

    iCloud?

    Some sort of shared folder Limewire fail?

    So they didnt have a policy/process for home working. Does that mean she just email stuff to her home account? Or do they have homeworking solution, just badly implemented?

    1. 0laf
      FAIL

      Re: Technical Detail

      She was using a second hand machine. The FTP Auto-uploader was a present left behind (accidentally or deliberately) by the previous owner.

      She probably took the stuff home on an encrypted usb stick with the blessing of her manager, coz that's secure innit?

      That blessing evaporating as soon as an investigation started.

  5. Chris G

    CCT?

    I would like to know if the 'Council Employee' actually was a direct employee of the council. In my experience, a lot of council employees are actually employees of companies like Capita and others who do everything they can in the name of profit not to spend valuable profits in training their staff.

    They will send round little notes or booklets of guidelines that staff have to sign to say they have read the regulations affecting their work and that is about as close as they get to real training, possibly councils too, are afflicted with the money saving booklet idea instead of using professional trainers to help produce professional staff.

  6. Anonymous Coward
    Anonymous Coward

    Size of fine is immaterial

    it'll only get overturned

    http://www.theregister.co.uk/2013/08/28/ico_wrong_to_serve_local_authority_with_data_breach_fine_tribunal_rules/

  7. Anonymous Coward
    Anonymous Coward

    Follow the money

    So local government or the NHS who get money from central government to provide services (and some from local people, who also give the money to central government so they can give it to the others) have to give some money to central government. will central government now need to hand that money back so that the local government and NHS can afford the fines they need to pay to central government?

    from a turnover point of view :-

    CG > Grant > LG £500k

    LG > Fined > CG £500k

    CG > Loans > LG £500k

    LG > Repayment > CG £?

    so for £500k moving round a turnover of at least £1.5Million sweet

  8. Anonymous Coward
    Anonymous Coward

    Going by experiences of the wife....

    ...then it was probably done as the "remote access" systems consist of asking someone in the office to email you it in a Hotmail account.

    Hint, wife had to put up 8 days downtime to the entire office (40 people) due to a single failed part on a single server.

    The "fix"?

    Take USB pen, walk 20 minutes, copy said files. Walk back. Amened files. Repeat.

  9. Halfmad

    This will continue to happen until we start seeing staff being personally held responsible for this and seeing it published - was this staff member sacked from gross negligence ? Was their department sticking to any agreed mandatory training for staff? If not why not?

    People need to start losing their jobs for this sort of thing, but it rarely happens and usually involves some deal for them to leave with a golden handshake.

    1. Yet Another Anonymous coward Silver badge

      Was the user aware of the file transfer program?

      Should they have been?

      Should a case worker have done a security audit of a machine supplied by the council?

    2. Anonymous Coward
      Anonymous Coward

      Buck passing

      In my experience it's likely that the staff member was put under pressure to get the work done, but given insufficient time in the office to do it and absolutely no support to make sure that the data was secure at home, partly because the people above will not have wanted to know staff were working at home.

      Management will have made very sure that they had no idea what was going on and just expected outcomes to materialise.

  10. Pascal Monett Silver badge

    Seems like Aberdeen is in dire need of a new Council

    So this time it's vulnerable children's details posted online. I'm sure the kids needed that.

    Last year, it was Moccasin Creek.

    Trouble was brewing before though, and some local citizen tried to do something about it in 2011. Maybe she was unhappy about this.

    But hey, no problem really. After all, £100,000 is just 9 days of bus lane penalty fines, apparently.

  11. Anonymous Coward
    Anonymous Coward

    other news

    private sector rarely has really sensitive personal data hence public sector over represented in data protection breaches. still inexcusable though.

  12. Anonymous Coward
    Anonymous Coward

    "The fine against Aberdeen is further evidence that there's a poor data security culture in local government that appears to be deeply ingrained. ®"

    Absolute nonsense. I'm a private sector consultant, with my time split about half and half between public and private work. Both sectors are as bad as each other. The difference is the public sector are more likely to report breaches because there's no risk of them triggering punitive contract terms or suffering damage from losing ISO27k as they're the sole, public provider of their service. On the rare occasion the private sector do report their own breaches they usually throw lawyers at the problem until it goes away - ICO don't have the resources to fight such cases, just like public sector bodies don't have the resources to sue ICO to make their cases go away. Further, private bodies rarely handle sensitive information on the same kind of scale as public bodies, so when those rarely-reported, often-contested breaches do occur, they're of a lesser magnitude anyway.

  13. JimC

    Social Workers not very good at IT Security

    Pope not protestant

    Bears fail to use public conveniences

    Politicians fail to own up to relationships with certain young women

  14. Anonymous Coward
    Anonymous Coward

    Simples..

    Public sector technology has overtaken public sector education.

This topic is closed for new posts.

Other stories you might like