Who exactly pays these fines?
Or, more precisely, where is our council tax going please?
The Information Commissioner's Office (ICO) will meet representatives from local authorities to address what it has called an "underlying problem" with the bodies' approach to data protection. The ICO made the announcement after it reported that it had served civil monetary penalty notices to four separate local authorities in …
Who exactly pays these fines?
Or, more precisely, where is our council tax going please?
Exactly - one government department fining another one - it's like taking a pound out of one pocket and putting it in your other one. Futile.
It's obvious that from the number of cases that hit the headlines - plus quite possibly the smaller that ones don't - that the current measures and fines are not working. So I approve of the ICO getting involved in prevention rather than sitting on the sidelines dishing out fines which don't seem to have any effect and just squander my Council Tax.
I'm not sure that they can completely turn round the culture of not taking people's personal data seriously enough which seems to be prevalent in many cases, but I think it's better than doing nothing.
Fines whereby a council's processes - or lack of them - are the reason for the fine hurt exactly the people who've already been hurt by the event in the first place: thee and me. Fining a publicly funded body is pointless and counterproductive.
The fine should go to the idiot who left the USB stick on the bus, who failed to apply the correct setup to the server, who wrote the illogical process requirement... culpable individuals, not the council as a whole.
Of course, deciding who's actually culpable is another problem. But the aim surely is to provide incentives for care to be taken, not a blanket 'it's the fault of the council'.
In the part of the NHS I work in we were asked to sign forms that stated we accept personal liability if we leaked data.
How many people have been charged - financially or criminally?
Thumbs up for that.
But basically this continues till the CTO, IT DIrector or whatever permanent official is responsible for this can and does do some jail time.
That will have a remarkable focusing effect on IT security and data protection training.
So Mr Smith, what sort of annual salary would it take for you to take on a job where you could go to gaol for dropping a USB stick?
And bearing in mind the usual law of unintended consequences when it comes to legislation, do you think it likely that the considerably reduced numbers of people prepared to take on such jobs would be the more careful types, or the careless ones who are sure it could never happen to them?
And if we assume a considerably reduced headcount, do you think the increased pressure of work would make stuff ups and errors more likley or less likely?
More importantly, how much would you need to take on a job where you could go to jail for the actions of one of the other staff? (Such as someone that you don't even know or have even met losing a USB stick)
In the private sector, many companies would sack the member of staff straight away; I'm not sure if that is the case in the public sector, but it seems not (although I would be happy to be proven wrong). I would rather see a financial penalty being appllied to the user responsible for a first offence, then increasing in severity until third offence at which they get the boot.
I think that the ICO are right in what they are trying to do; I hope that they help reduce the apparent flood of lost data. I suspect that it won't make a huge difference (but then I am very cynical!).
@AC 09:16 You are just plain wrong. If someone drops a USB stick that contains personal information it is a big deal. Why were they *able* to put the data on a USB key? FAIL.Why was data on a USB key? FAIL Why was the USB key out of the office? FAIL Why was the data unencrypted? FAIL
How can you trust someone to do the right thing after that lot. I don't know about jail time, but I don't see that people should keep their jobs after that level of mismanagement. It's not like it's a new problem, or that the processes required to keep data relatively secure aren't already well known. It's comes down to management being prepared to make it happen. If they don't, they're not fit for the job.
Is it so difficult to buy / use an encrypted hard drive / USB stick. We use the Ironkey ones and they auto-wipe after 10 invalid password attempts. Sure they are not cheap but cheaper than having the data end up in the wrong hands.
Of course things like TrueCrypt are 'free' and not 'hard' to use - but may as well make it dead easy and having the data 'wipe' after 10 invalid attempts is probably better still.
"So Mr Smith, what sort of annual salary would it take for you to take on a job where you could go to gaol for dropping a USB stick?"
Well Mr AC I'd say the jail time is not for dropping the data on a USB stick, it's making no effort to stop it ending up on a lost USB stick in the first place, not designing a system that designs out the need for local storage of personal data and not explaining (in writing) to the elected officials (who hold the purse strings) what's going to happen if they understand that it's not their f**king data to loose, it's their constituents who have the right to be pretty p***ed off when it happens.
And BTW outside IT there are professions which failure to do your job properly has both criminal and civil legal penalties. When the FD of a company signs off on a companies accounts they are saying "I've checked this and its an honest picture of the company at this time." Yes that can do jail time if this turns out to be false, disbarred from being a company director for up to 15 years in the UK and barred from practicing as an accountant. MD's can be banned from being a company director and IIRC do jail time as well.
The issue isn't so much dropping a USB stick on the bus as it is the sheer foolishness of putting unencrypted data on the thing in the first place. A close runner-up is the foolishness of anybody from the CEO down taking protected data outside the workplace in any form.
To some extent, the latter is caused by the managers who don't understand that the work day is only eight hours long.
"When the FD of a company signs off on a companies accounts they are saying "I've checked this and its an honest picture of the company at this time." Yes that can do jail time if this turns out to be false, disbarred from being a company director..........."
Can. But rarely are, in my experience of such things. Whenever a company goes bust and leaves creditors out of pocket, then it is almost always the case tha it has been trading whilst insolvent (an offence), or making up some of the numbers (ditto). But rarely are these issues pursued properly. And even when the authorities do try for disqualifications, it is often the case that the truly guilty walk away scott free. Have a nose round "farepak directors disqualification" articles dated around 23 June 2012 to see this - an attempt to ban a couple of the directors collapsed after it emerged that HBOS had a big and guilty hand in the affair - but nobody at HBOS has been led away in handcuffs.
And for many of the rich spivs who are in the frame for a disqualification, there's a simple workaround of having your wife act as a director for the duration of your ban.
Lots of our tax payers money to be diverted from actually doing stuff for the public into nice lucrative careers for ICO executives...
Well, we'll see how it develops. Something has to be done to make local and national government realise that data security is important.
I did have one (not entirely serious) idea, and that would be that the people responsible should be forced to publish exactly the same information about themselves on the web site of the authority or body responsible for the leak. That wouldn't just be the person that lost the data, but their manager and their managers manager, so on up the chain to the CEO. Perhaps that might get their attention...
your taxes are going to be spent, get over it. if they go to the ico it makes no difference to you but the people involved now have to faff about redoing budgets etc rather than annoying the public.
have agree re sackings, court action though.
I'm constantly annoyed by the blithe and pedantic attitude of those who say that if 'you' are against Government moves to forcibly collect/access our data, then it must be because 'you' have something to hide.
This article nicely exposes a real reason for fighting for our data privacy.
The IPO examples all seem generally down to incompetence. The fact is that there are also many examples of Government (local & national) employees mis-using access to citizen data for the purposes of bribery, blackmail and fraud.
It's all well and good to talk (as does the Home Office, for example) about giving authorities access to everything citizens do online (as is often reported on El Reg, etc) but, who will watch the watchers?
I have no faith in Governments' ability to secure data - and I speak as someone who has been involved many times in oversight of "secure" government installations. The data is as secure as the people accessing it... 'Nuff said - resist the farcical view that if you don't agree with the latest idiotic Government plan to harvest your information then, you "must have something to hide".
When council workers are faced with a spell inside for losing confidential data, you can bet your sweet arse that they will start taking care of our data.
"When council workers are faced with a spell inside for losing confidential data, you can bet your sweet arse that they will start taking care of our data."
IIRC there are provisions in the DPA to do this but the relevant Minister has not fiddled with the necessary "Statutory Instrument."
Perhaps it's time for UK commentards to make their feelings known to their MP's on this matter.
You can’t expect a bunch of headless chickens that are overworked and unwilling to say no to any request from their management due to fear of losing their job to think about bigger issues like safeguarding data.
If the only way to get the job done is to work on the train, then that is what will be done regardless of the rules, as today’s deadline is always more important that what may happen later.
From what I have seen, the only effect of data protection polices is that there is another deadline to tick the box to show that the on-line training has been done, before someone gets back to their real work.