back to article Jail incompetent council folk who leak our data, thunders furious BBW

A report published today by British privacy rights group Big Brother Watch (BBW) says the scale of private data being leaked is so great that those responsible should be jailed. Between April 2011 and April 2014, local councils experienced around four data breaches a day – a total of 4,236 instances – according to figures …

  1. Richard Taylor 2

    The problem is establishing the level of the person who should be charged (having cut costs and paid no attention to experts). Chances of them being even charged - let alone convicted, nill. Bit like corporate manslaughter.

    1. tmTM

      Often it's even more complicated

      The person originally responsible for initiating sloppy procedure will probably have moved one, having got a pat on the back for 'excellent cost cutting'.

      Savings made by forgoing costly security measures, which leaves everyone else carrying the can.

    2. LucreLout

      The problem is establishing the level of the person who should be charged

      I don't see that as a problem as much as I see it as an excuse to preserve the risible status quo we currently enjoy.

      Just start with the person at the top of the organisation and with the person at the bottom if we're talking lost or stolen laptops or portable media. If the gaffer has documentary evidence of delegating responsibility, authority, and resources to someone below them, then you move down a level. If the 'grunt' has documentary evidence of concerns being raised and not addressed then you move up one tier. Eventually you have the right people.

      So the punishment.... well, it will have to be jail time if the matter is to be taken seriously, for it has not been in the past 30 years. Lets start with one day in jail per persons record leaked and we can adjust up or down from there as we go.

      1. Stevie

        Just start with the person

        Not against the principle of the Bubble Sort Blame Allocation Method but I predict it will almost always time-out in 3-way+ deadlocks when you step up the ladder, only to be caught in a Lateral Blame Shift Deadlock.

        From Office Space: "I have eight bosses. If I do anything wrong, eight people are lining up etc etc".

        Personally, I have three or four bosses, depending on how "hands on" one of them wants to get in a given issue. Contradictory policy directives are not unknown.

      2. NeilMc

        No Accountability or Responsibility - its Meh and Shrug central!!

        in the cases sited there will be someone who is responsible for the laptop and there will be someone who the papers belonged to or will be claiming expenses for the train travel.

        All evidence to start a civil or criminal investigation.... however those that would naturally instigate the investigation will have been the first to be cut when "Central Govt Funding" was cut.

        Another fine case of unintended consequences from our celebrity career politicians... oink oink!!

  2. codejunky Silver badge

    Hmm

    Is the problem not being tackled the wrong way? While proper training and punishment for stupidity is necessary should we not look more to keeping the information out of their hands? Instead of gathering as much data centrally then giving it all away until someone effectively gives it away, maybe they should only have information they need and not be allowed to take it on an unencrypted laptop and such?

    If data breaches are honestly that common then I doubt any of them can feel it is important or out of the ordinary.

    1. LucreLout

      Re: Hmm

      If data breaches are honestly that common then I doubt any of them can feel it is important or out of the ordinary.

      Data breaches are more common than indicated. These are only the breaches they detected and which a colleague in IT couldn't conceal for them.

  3. Joe 48

    Failure at all levels.

    There is no quick fix. Failure at all levels in all departments. IT not securing networks and equipment when they have the tools to do it, users not understanding how to handle data, local auditor not doing any checks on how data is handled, I could go on. I'd question if half of them even knew the protective markings, let alone how that data should then be handled.

    A while ago Central Government came up with some controls so help local councils protect and handle dat so they are trying, although badly, to make things better. Controls and regular IT health checks are now common place, they have yearly PEN tests from CESG approved testers. The tech is generally in a good place, its us humans letting the side down.

    Been a few years since I've done any work in that sector but guessing the same issues still exist.

    1. Sir Sham Cad

      Re: Failure at all levels.

      >IT not securing networks and equipment when they have the tools to do it,

      Assuming that IT have been given any budget for security from the finance lot especially as budgets are being slashed. Also assuming the IT department has been able to recruit/retain sufficiently knowledgable staff and hasn't been outsourced to the cleaning company as it's just a "cost centre".

      Why yes, my grapes are especially sour this morning.

      >Users not understanding how to handle data,

      This in spades. Also users who don't bother with or care about any Information Governance training they may be given because "that's an IT thing, I don't need to worry about it *switches brain off*"

      >Local auditor not doing any checks on how data is handled

      Yes and, especially if the powers that be are aware of the previous point (Users) they won't be encouraged to do so.

      1. Jonathan Richards 1
        FAIL

        Re: Failure at all levels.

        >users who don't bother with or care about any Information Governance training they may be given

        Indeed. When I was involved with training Ministry of Defence staff in these matters, they had to record the training in the Personnel database, which featured a free-form field for description of the course. Memorably, I recall seeing "More data protection crap" submitted from one fine officer. I had trouble counting *that* one as a 'course delivered successfully'.

  4. Steve Crook

    Who's responsible?

    That should be the first thing. AFAIK there's no clearly stated responsibility. Head of IT? Head of the leaky department? CEO?

    Once we know *who* then we just have to sack, fine, or imprison them, because no matter how the breach occurred, they're responsible.

    If there's someone in a position of power who has something to lose there's more chance of standards being adhered to...

    1. dcluley

      Re: Who's responsible?

      Do not all companies have to have a designated person responsible for Data Protection?

      1. Steve Crook

        Re: Who's responsible?

        Yes, possibly. But someone needs it in their employment contract that they're personally *liable* and that disciplinary action *will* be taken meaning fines, loss of bonus or worse. More of senior management need to be roped in, as it's a company wide thing.

        Of course the local government situation is made more complex because so much of the IT is outsourced. But I see no reason why they should be held to a lower standard.

        1. Anonymous Coward
          Anonymous Coward

          Re: Who's responsible?

          Quite, but are they? Just as long as you apply the same standard to the private sector. So before you jail someone for spying on the friends wedding, let's lock up EE management, and check that noone at Facebook ever peeked at an ex's IMs.

        2. LucreLout

          Re: Who's responsible?

          Of course the local government situation is made more complex because so much of the IT is outsourced. But I see no reason why they should be held to a lower standard.

          The public sector MUST be held to a far higher standard than corporates. I can choose not to buy Coke, or Ford, or give my details to El Reg. I cannot choose not to give my data to the tax man, or the NHS, or the local council; I am compelled to do so by law.

          1. Woodnag

            Re: Who's responsible?

            Also, the law needs to reduce cover-ups by management. Perhaps have a central reporting station where possible leaks must be reported too ("I can't find that USB stick, but it may be at home") with in 24 hrs or suspected loss.

    2. Anonymous Coward
      Anonymous Coward

      Re: Who's responsible?

      @Steve Crook.

      There is always someone ultimately responsible - the person at the top of the pile. In a council it is the councillors as a collective - they are responsible for the person they use to run things for them just as in any company the board of directors have the ultimate responsibility.

      In this case the councillors should be sent to prison - and be barred from ever being in public office again. The next lot of councillors will then lean very heavily on the chief executive who, if he has any sense, will sort out the problem. If he doesn't then he is toast. This will have a knock-on effect through the whole council so making life better for all those in the area.

  5. RISC OS

    BBW???

    Big beautiful woman?

    1. Richard Wharram

      Re: BBW???

      Fatties

    2. Loyal Commenter Silver badge

      Re: BBW???

      Yeah, best not google that with safe-search off. At least not at work...

    3. Anonymous Coward
      Anonymous Coward

      Re: BBW???

      I have to admit the image that sprung to mind when I read that headline was of a furious "lady of a certain size" looking for a hapless councilman to crush with her bulk. I guess I spend too much time on the wrong kind of websites.

  6. chivo243 Silver badge
    WTF?

    Have to ask

    1) was the program sufficiently funded?

    2) were best practices in place during the implementation of said programs?

    3) were the people employed to use the system properly trained?

    4) were these people screened for prior offenses?

    5) were there auditing procedures in place?

    If NO was answered to any of the above... FAIL.

  7. Vimes

    “Current penalties for serious data breaches do not deter individuals who are seriously considering breaking the law,”

    Employees of a data controller can't normally contravene the DPA unless it's a section 55 offense related to illegally obtaining personal info.

    http://www.legislation.gov.uk/ukpga/1998/29/section/55

    Who should be charged and on what legal basis should they be dragged into court?

  8. Stuart 22

    Its surely cheaper to hang'em?

    Some of the local council people i know are dedicated, hard working and careful people. Others are what you get when you pay lower wages, expect redundancy and are regularly dished by those who screw them.

    So who here hasn't left stuff on a train or lost an unencrypted laptop? Its never intentional, it hurts the culprit on all sorts of levels and in the case of our Lewisham worker he lost his career. And these BBW folk want to bang him up too?

    Do visit the BBW website. Its all about freedom and stuff but appears to have a wee gap when it comes to the institutions who make Google and Microsoft look like rank amateurs when it comes to stealing personal data without warrant and/or making others store it till they can get around to analysing it. Checkout who are the people behind BBW. There's no political motive - Shirley?

    1. Kubla Cant

      Re: Its surely cheaper to hang'em?

      There's no political motive - Shirley?

      I agree. There is a strong whiff of silly-season grandstanding about this report.

      1. JimC

        Re: There is a strong whiff of silly-season grandstanding about this report.

        The wedding one for instance: Can't go to your mate's wedding 'cause its your shift on the CCTV so you watch it on the CCTV instead? Rather sweet (if a bit sad) rather than anything evil or malicious. But deserves a slapped wrist for *not* watching what the cameras should have been on, which sounds as if its what they got....

    2. LucreLout

      Re: Its surely cheaper to hang'em?

      So who here hasn't left stuff on a train or lost an unencrypted laptop?

      Me. I haven't ever left "stuff" on a train or taken data beyond the firewall while unencrypted. On the rare occasions where it has been necessary to move data beyond the firewall, that data is ALWAYS encrypted, and the dataset kept as small as possible. The custodian of the data then treats it with the same care and respect as it were their own data or that of their children.

      It is exceptionally rare to need to move data beyond a firewall if best practices are followed. It is NEVER required that it be moved unencrypted.

    3. Robert Grant

      Re: Its surely cheaper to hang'em?

      So who here hasn't left stuff on a train or lost an unencrypted laptop?

      Also me. Is this a joke?

  9. Dr Wadd

    The other factor which feeds in to councils' inability to handle data securely is the sheer amount of noise they want to collect with the useful data.

    A few years back I had an argument with my local council over this very topic. They were conducting a periodic audit of people who had a council tax discount to ensure they were still elligible, that part I have no argument with. However, the way they went about it was utterly broken. They first, without informing me, attempted to access my credit history. Because I'd not taken out any new credit for a *long* time it was empty. They then decided they wanted to see my bank statements. This was all in an effort to determine that I was still elligible for the single-occupancy discount. I had a huge back and forth with them arguing that the information they were requesting was in no way suitable for confirming this. Eventually they backed down, but not without a fight and getting a local councillor involved.

    However, if I'd not fought this the council would have ended up with copies of my credit history and bank statements in a context where providing that information was entirely pointless. If they keep can't manage data efficiently it is no surprise that they cannot handle it securely either.

    1. Triggerfish

      Having worked briefly on council tax for a council, them asking for your credit history or bank statements is weird, we never had to do anything like that even when doing debt recovery/ chasing non payers for the council. I can't even see why it would be elevant unless they thought something dodgy was going on, that sounds more like an investigation than standard practice.

  10. Anonymous Coward
    Anonymous Coward

    There is an officer...

    I think it's a section 154 officer, or something, who is responsible for, "corporate," data policy within local councils.

    So yes, there is a responsible person. And yes, jail is a possibility if they fail in their role.

    1. Triggerfish

      Re: There is an officer...

      Then they better also provide them with protection for when a councillor phones up and every rule is dropped to keep them happy.

      Have also seen same thing with home office, minister questioning whether I had the security clearance to be seeing his emails (whilst fixing a problem with outlook talking too exchange), then insisting and being an arse because I would not let his secretary (who definetly did not have clearance that high) have access to his mail box on her PC because he said so.

      1. Anonymous Coward
        Anonymous Coward

        Re: There is an officer...

        That's interesting because in my government experience (shortish), all of the secretaries (or admins) were cleared to the same level as their ministers - it cost a lot, especially because clearance at that level is expensive and personally intrusive.

        Oh and so did the IT staff - and the minister would know that.

        1. Nunyabiznes

          Re: There is an officer...

          Just because you have clearance to see a certain level of information does not mean you have a need to know.

          1. Doctor Syntax Silver badge

            Re: There is an officer...

            "Just because you have clearance to see a certain level of information does not mean you have a need to know."

            But you need to know so that you know if you need to know. Sir Humphrey got there before you.

        2. Triggerfish

          Re: There is an officer...

          Oh I figured the minister was just being a self important arse tbh. But the secretary definetly did not have (quite) high enough clearance it was a humungous no no to insist and figured he was just being a self important arse about demanding that as well.

  11. Dr Fidget

    No problem

    Of course, if these services had been properly privatised and run by (say) G4S, we'd hear all about these breaches and the directors would obviously be brought to court </sarcasm>

  12. ServerMonkey

    Apathy

    The biggest thing I encountered was an absolute apathy towards security. The council's head of IT really couldn't give a damn about the fact they had no IDS or IPS, even though the CESG guidelines for the PSN CoCo said that they should have one.

    They didn't seem in the slightest bit concerned that not having tools such as this meant that it in all likelihood they had been hacked already, and we had no way of knowing.

    As well as educating the users, the focus needs to be on educating the people in charge - the Data Protection Officer and the Head of IT positions were often trophy positions on the way to other roles in the council, so their input and strategic direction were more down to making themselves look good, rather than making the right decisions for the organisation.

    1. Triggerfish

      Re: Apathy

      Council security gave me the impression that they spent more time monitoring employees and checking what they looked at on the web and emails than anything,

      I got the feeling it was treated like an extension of HR, where there job was to a make sure no one looks at someting that could cause a problem (note in the councils I have worked in policies on sexism and racism mean that even if someone overhears something and finds it offensive then it's treated as sch, e.g working with my Indian friend if I asked him to translate something and said it was al dirkha dirkha jihad to me even if it was just in conversation between us (or if he calls me a Kafir) with no offence meant or taken between each of us, is a possible offence if someone overhears it and finds it racist), so the IT dept watch the staff to make sure the council doesn't get one on some HR policy breach, or find evidence to get rid of people by the same way since it can be a bugger getting rid of long term council staff.

      Of course I may be cynical but having worked for various councils up and down the country the biggest conclusion I have come to is a large percentage of my council tax is wasted on idiocy, internal politics and general fuckwittery.

  13. Anonymous Coward
    Anonymous Coward

    FIRE ( or jail ) THE USELESS DEVELOPERS!!!!!!

    Period.

  14. David Roberts
    FAIL

    Show me the money! + Admiral Bing

    For the papers left on the train - without total IT suport for all processes and procedures, case workers will have to carry their paper files with them every day as they move between office, home, and clients.

    I have yet to see securely encrypted paper forms (although some come scarily close).

    So until you have a fully functional, implemented and supported electronic system which covers all aspects of case work along with a strong and constant drive to prevent anyone taking paper notes and trancribing them later you will always have thousands of case workers every day carrying paper based information in public areas.

    Some of these will certainly be lost each year, probably each week.

    Jailing people randomly (on the Admiral Bing principle) will just make people who have no choice but to breach DPA guidelines every day just to do their jobs go to extraordinary lengths to conceal any loss of sensitive information.

    Implementing fully electronic systems is demonstrably far beyond the capabilities, resources and funding of the current IT infrastructure.

    So to do this you need to fund a massive increase in development, testing, support, training, and compliance monitoring. Which will cost money.

    Threatening to jail people for being forced to adopt procedures over which they have no control is IMHO a totally stupid and immoral politician's response. A problem you say? Look, legislation. Now it is a crime. My work here is done! Meanwhile the police can't even afford to attend crime scenes and are asking for photos instead.

    So show me the money!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like