It gets worse...
They've been properly doxed: http://pigeonsnest.co.uk/stuff/thieving-gypsy-bastards.html
An Essex council has been fined £150,000 for publishing highly sensitive personal data, including medical information, of a traveller family via online planning documents. The Information Commissioner’s Office (ICO) slapped Basildon Borough Council for publishing the information in planning application documents, which it made …
So, as long as you are considered unsavory, you can have your personal details treated like trash? Why is it PC to think that anyone, even a villain, gets to be treated to less than decent standards? If they're a fine upstanding citizen, how shocking, but if they're a dog, OK to kick them?
Once again, the taxpayer coughs up and the council cretins just waste more taxpayers' money.
It's about time the legislation held individuals in public sector organisations personally accountable.
If the drone responsible for the breach is paid £20k, their boss £40k, their boss £80k, and the CEO of the council £160k, then the fine should be levied vaguely proportionately on their take-home pay over the next year - the drone should pick up £0 (but may well be fired if it can be shown they've blatantly disregarded procedure), the boss £10k, the next boss £30k, the CEO £70k, and the council forced to invest the remaining £40k into systems and processes to stop it from happening again...
Taxpayers should be on the hook for government mistakes, they have the power to vote out those in charge and really ought to be more concerned about the quality of the candidates put forward for election. I have no objection to individuals being prosecuted for blatant negligence though, although there should be robust checks in place to make it hard for an individual to screw up.
"Taxpayers should be on the hook for government mistakes, they have the power to vote out those in charge"
Great idea! Now, could you just explain, how do I vote out Amber Rudd for the wholesale mistake that is her approach to data security and privacy? and next year, when there's no general election, how are they held to account - and immediately, not after waiting for a few years?
Your argument makes little sense, if you've ever been involved in a breach you'd know that it's typically down to one persons mistake initially then a series of mistakes over the course of the next few days as people try to cover it up. The "best" breaches are those where staff put their hands up so you can try to contain and get control back over that information (usually not possible, but sometimes it is), you can then notify the ICO and you can talk to those involved most importantly the data subjects who's information has been spewed.
In terms of "taxpayer coughing up" the monetary penalty goes from the council to central government, it doesn't go to the ICO and then essentially through loans etc to councils will end up back there eventually.
The public need to start understanding that public sector organisations, (especially the NHS - and I'm excluding GPs as those are PRIVATE contractors) are very good at self-reporting to the ICO. This is why the stats typically show that the public sector are AWFUL at handling information but in reality they are generally better than private firms, just that they are far happier to notify the ICO when something happens.
Having worked in private and public sector over the past 25 years I can honestly say I've personally reported my organisations to the ICO half a dozen times, yet never had approval from private companies to do so - even when the incident was arguably far, far worse. It comes down to money and lack of "give a toss" about data subjects.
Round here, the 'family'; that applied to turn the field they had bought with 'agricultural permissions' only successfully were allowed to add hard standing and a toilet block 'because their daughter was 'disabled, and needed a peaceful quiet life' before they then rented spaces out to about 50 more caravans.
In the numerous instances of this type where the council quite readily release private data, are there ever any instances where the names of those council employees responsible ( lowly office staff to the "Chief executives") are disclosed? I suspect not.
Agreed, that it is long overdue that such people should face criminal charges themselves..
As the guy who works in public sector at the moment and who reports my organisation to the ICO when there's a breach I'd love for staff to face disciplinary when it happens. I rarely see that though.
Mistakes happen, genuine "shit I sent that to the wrong person" mistakes, should people lose their job over it? Well personally I think that should always be an option when they've caused actual harm by their actions. However I have yet to see it happen.
Staff names are typically removed from reports the ICO get, I'd love them to demand those and public those involved. My name will be on the ICO multiple times - as the person reporting it and the contact for the organisation, but others should be up there for having been held responsible for the breach.
This shouldn't just be the chief execs though, it has to include those who have direct line management responsibility if training was permitted to slip, if policies were not up to date and staff not aware of them etc. Putting a single name up won't be enough, it has to be the "chain of command" from top to bottom that could have prevented it.
There are also typically prosecutions that could be brought but again never are. Section 55 of the DPA is one such area but there are many others - we simply done' hold people accountable, but then again we don't for virus infections either even when it's personal USB sticks brought in from home - because the organisation should simply have tools to block those working right?
But surely if that sort of thing isn't permitted by policy (rules of your employment essentially) then you should be sacked for doing it?
IT breaches in general are seen as trivial when it comes to disciplinary action, I've seen people hit far harder for mistakes on their time sheets or breaking a window by accident..
slaps down those many arrogant bastards who inhabit our city halls.
Whomever thought they were fit to handle any confidential data was less, far less, than smart.
Local tin-hats should be made personally responsible for breaches of law instead of sticking the costs on local council bills.
The size of the fine is interesting as it is more than pharmacy2u got fined for deliberately selling lists of clients names and diseases and addresses. A very specific list was sold to an Australian "lottery" company.
ICO fined them £130,000 which actually means £117,000. They have not been struck off the NHS recommended list and it has badly upset the pharmicistb and doctors bodies. Curiously they hold the belief that this information is private and pharmacies should know that.
I think the Basildon fine is in the right ball-park but agree that the fine should not be for rate-payers and also those in charge of the sytems /training etc need publicity etc. The fine by ICO for pharmacy2U was totally inadequate, as is the NHS response [zero].
Obviously the council should not be publishing personal details but if those personal details were included in the planning permission as justification for the proposed building etc. I can see how they would slip through the gaps. Planning permissions are meant to be public record (with good reason!) but if someone states that they need X,Y,Z built and it wouldn’t be authorised if there were no medical/disability component then the medical/disability reason has to be a matter of public record. However, I’m not saying for one moment that the level of detail that seems to have been published in this case is justified.
As to the scale of the fine: no problem with the actual amount per se but I don’t know if I would be happy with it all going to the family concerned. I think you would have to make a very, very good case to justify personal damage/stress etc. for that amount.
Biting the hand that feeds IT © 1998–2020