Policies?
Checking our policies now.
I hate seeing:
Data Protection Policy - homeworking: refer to the HR Homeworking policy
Homeworking Policy - refer to the Data Protection Policy.
No ambiguity there.
UK data privacy watchdogs have fined Aberdeen City Council £100,000 after a council employee published vulnerable children's details online. The sensitive social services information was released after a council worker accessed documents, including meeting minutes and detailed reports, from her home computer. A file-transfer …
This post has been deleted by its author
Astonishing. You find an error in an IT policy, probably due to a misunderstanding or unclear goals when it was drawn up, and you want whistleblower protection against ending up on a "shit list"?! Do you still put your hand up and ask your boss for permission when you need to go for a piss as well?
"Scots council cops £100K fine for spaffing vulnerable kids' data ONLINE"
Should read
"Scots council tax payers cop £100K fine for spaffing vulnerable kids' data ONLINE"
Were the managers who had failed to put the policies in place (or block home-working) fired?
No.
So nothing will change.
Any chance of digging a bit and find out some technical detail?
I'm struggling to see what sequence of events would get documents from work to be auto-magically published publicly online?
Is it a dropbox 'feature' I'm not aware of?
Some facebook thing?
iCloud?
Some sort of shared folder Limewire fail?
So they didnt have a policy/process for home working. Does that mean she just email stuff to her home account? Or do they have homeworking solution, just badly implemented?
She was using a second hand machine. The FTP Auto-uploader was a present left behind (accidentally or deliberately) by the previous owner.
She probably took the stuff home on an encrypted usb stick with the blessing of her manager, coz that's secure innit?
That blessing evaporating as soon as an investigation started.
I would like to know if the 'Council Employee' actually was a direct employee of the council. In my experience, a lot of council employees are actually employees of companies like Capita and others who do everything they can in the name of profit not to spend valuable profits in training their staff.
They will send round little notes or booklets of guidelines that staff have to sign to say they have read the regulations affecting their work and that is about as close as they get to real training, possibly councils too, are afflicted with the money saving booklet idea instead of using professional trainers to help produce professional staff.
So local government or the NHS who get money from central government to provide services (and some from local people, who also give the money to central government so they can give it to the others) have to give some money to central government. will central government now need to hand that money back so that the local government and NHS can afford the fines they need to pay to central government?
from a turnover point of view :-
CG > Grant > LG £500k
LG > Fined > CG £500k
CG > Loans > LG £500k
LG > Repayment > CG £?
so for £500k moving round a turnover of at least £1.5Million sweet
...then it was probably done as the "remote access" systems consist of asking someone in the office to email you it in a Hotmail account.
Hint, wife had to put up 8 days downtime to the entire office (40 people) due to a single failed part on a single server.
The "fix"?
Take USB pen, walk 20 minutes, copy said files. Walk back. Amened files. Repeat.
This will continue to happen until we start seeing staff being personally held responsible for this and seeing it published - was this staff member sacked from gross negligence ? Was their department sticking to any agreed mandatory training for staff? If not why not?
People need to start losing their jobs for this sort of thing, but it rarely happens and usually involves some deal for them to leave with a golden handshake.
In my experience it's likely that the staff member was put under pressure to get the work done, but given insufficient time in the office to do it and absolutely no support to make sure that the data was secure at home, partly because the people above will not have wanted to know staff were working at home.
Management will have made very sure that they had no idea what was going on and just expected outcomes to materialise.
So this time it's vulnerable children's details posted online. I'm sure the kids needed that.
Last year, it was Moccasin Creek.
Trouble was brewing before though, and some local citizen tried to do something about it in 2011. Maybe she was unhappy about this.
But hey, no problem really. After all, £100,000 is just 9 days of bus lane penalty fines, apparently.
"The fine against Aberdeen is further evidence that there's a poor data security culture in local government that appears to be deeply ingrained. ®"
Absolute nonsense. I'm a private sector consultant, with my time split about half and half between public and private work. Both sectors are as bad as each other. The difference is the public sector are more likely to report breaches because there's no risk of them triggering punitive contract terms or suffering damage from losing ISO27k as they're the sole, public provider of their service. On the rare occasion the private sector do report their own breaches they usually throw lawyers at the problem until it goes away - ICO don't have the resources to fight such cases, just like public sector bodies don't have the resources to sue ICO to make their cases go away. Further, private bodies rarely handle sensitive information on the same kind of scale as public bodies, so when those rarely-reported, often-contested breaches do occur, they're of a lesser magnitude anyway.