back to article Sex abuse fax leak costs council £100k

A council that accidentally faxed details of a child sex abuse case to a member of the public was fined £100,000 by the Information Commissioner today, in the first use of his new powers to punish data breaches. Hertfordshire County Council intended to send the fax to barristers in June this year. Once officials realised …

COMMENTS

This topic is closed for new posts.
  1. Alex Walsh

    Awesome

    In a time when councils are facing budget cuts of an unprecedented level, why not fine Herts CC £100,000, which no doubt will force them to make another couple of people redundant or cut some other service.

    Tax payers in Herts contribute more per head in terms of council tax and business rates than any other authority. All of this goes in to a central pot which then gets allocated out...giving Herts CC one of the lowest allocations per head in the country. So it's unfair to start with.

    Yes, Herts CC need to be punished for this cock up but how does a penalty which will no doubt directly affect the residents help? Criminal negligence sounds a better bet, go after the dept head as that's fairer on us residents!

    1. teebie

      "make another couple of people redundant"

      starting with the person who told the peon to send the details by fax, whoever trained the peon and neglected to cover this, and whoever decided on using systems/processes that include faxing child abuse cases, on would hope.

    2. Anonymous Coward
      Anonymous Coward

      Appropriate Punishment

      The department head, head of the council and the members should be publicly flogged for this one. Doesn't cost the tax payer, but does get the point across, simples.

    3. Nextweek
      Thumb Up

      Your idea makes a lot of sense

      However it would never happen that way. The department head would cry foul to the nation press saying they were a scape goat and that a 15 year old work experience office admin is in control of their career.

      There has to be a penalty, however a monetary one is the least headline grabbing.

    4. Anonymous Coward
      Anonymous Coward

      Don't know about the number but 'damn right' in principle...

      Why recycle money through an inefficient government machine?

      Better to have the CIO or CEO do a bit of Gaol time from a criminal conviction. I suspect it would concentrate the mind wonderfully. Might also prevent the blighters from taking jollies in the 'States which would be an even better economy for the hard pressed residents

    5. Tigra 07

      RE: Alex Walsh

      "but how does a penalty which will no doubt directly affect the residents help?"

      Losing the details of child abuse victims and people using their services directly affects the residents aswell.

      People make mistakes at the end of the day, if it was the same person twice then they should be in prison now, two others and the whole council needs to be fined and told to retrain these muppets.

      1. Alex Walsh

        so instead..

        ...everyone suffers? Bonkers. My better half works in local gov and they're looking at a 40% budget cut. If they had a £100k penalty, I'm sure that would make matters much worse.

    6. Anonymous Coward
      Anonymous Coward

      Oh hum...

      "So it's unfair to start with."

      Welcome to earth. When was the last time you heard the "word" without negation? Politicians lying about fairness don't count.

  2. Cunningly Linguistic
    FAIL

    What's the point in these fines?

    It's not as if the council suffers. The only people out of pocket at the residents of Hertfordshire, and it's not as if they faxed the wrong person.

    Public money being re-directed away from the public, what good does that serve?

  3. handle

    Bcc:

    I once got an email from my local council with more than 200 people in the cc: field. I wrote to them and they said they'd modify their training procedures to point out how to get the Bcc: field (thank you for hiding it, Microsoft) and why it is a good idea to use it.

    1. Anonymous Coward
      Anonymous Coward

      @handle

      Exact same happened to me, council worker sent me an email with over a hundred email addresses in the cc: field, never bothered reporting it though, but if I was to report it, I would probably get the same stock reply as you.

  4. Basic
    FAIL

    Riiiiight

    Because faxing it to the RIGHT number would've been so much more secure - It's such cutting-edge and secure technology there's no WAY it could've been intercepted.

    1. BristolBachelor Gold badge

      Fax vs. post & email

      IANAL but I had experience of this from some IP legal cases...

      Sending by Fax (but to the RIGHT number!) is secure, because you have a direct contract with the company that provides your telephone service. This means that the information you send remains confidential.

      Using email on the other hand (even to the right individual) traverses any path through the internet to reach it's destination. You only have a contract with your ISP, and therefore the contents of the email are effectively "published" and "public". You have to use strong encryption and then argue that the use of that means that the information was not "published" and made "public."

      A similar agreement works when you send things by courier too, however numerous people will tell you how easy it is for them to loose CDs :)

      However, nothing is fool-proof, you just need to employ a more stupid fool.

      1. Tom Chiverton 1

        Right...

        We'll just ignore fax-to-email gateways shall we ? The law is so far behind it's not funny.

      2. Vic

        Not necessarily true

        > Using email on the other hand (even to the right individual) traverses

        > any path through the internet to reach it's destination.

        That depends on the mailserver configuration.

        It is a *trivial* matter to configure a server to send all mail for a particular domain via a certain route - even if the MX record of the recipient says otherwise.

        You can also require the MTAs at each end to require TLS of each other - and even require key-based authentication.

        In short, email *can* be perfectly secure - and it's not at all hard to make it so. But that requires some joined-up thinking in the IT policy, so it's never going to find its way into local government.

        Vic.

  5. Toolman83

    In other news, Hertfordshire County Council still using Faxes!

    Faxing critical private information? really? in 2010?

    1. firu toddo
      Happy

      Because....

      Faxes are more secure than e-mail?

      1. Anonymous Coward
        Grenade

        not really

        faxes are intrinsically less secure than emails if simply because the default position is you have the possiblity that a fax machine is left in a public area, so anyone can view what comes in.

  6. Anonymous Coward
    Anonymous Coward

    why not fine/imprison

    The actual person who did it! The council as a whole spend.s public money, it's specific employees do not

    1. Elmer Phud

      why?

      Maybe it's down to cutting IT funding that they had to use the fax as it's all they've got.

      Maybe the public's money needed spending a bit better.

      Maybe it's the person who stopped development of IT that needs to pay up.

  7. Eddie 4
    Grenade

    Fax!

    Why were they sending something so sensitive as a fax anyway? They can have no guarantee that the receiving fax machine is not in reception, for example. Furthermore, the barristers should know better than to ask them to fax information like this. Cock ups all round.

    1. MonkeyBot

      Back in the real world...

      It's not like they'll be picking out a random fax number with some vague link to the holding company that owns the company that employs the person they're trying to contact and hoping it arrives eventually. They'll be sending info to a know machine and someone will have just mis-dialled the number.

      Most problems like this can be avoided by employing a temp and getting them to do the faxing. After the fourth time they've typed in the same number, they'll just enter it into the speed-dial that none of the slack-jawed regular employees has managed to figure out yet. No more mis-dialled numbers.

      Not that I'm bitter about once having had to write a how-to guide for a goddamn fax machine!

      1. Tom 35

        speed dial

        Like the medical lab that managed to program my phone number into their system and kept faxing me peoples test results (most often at 2-3am) and didn't seem to be able to fix it? Once I said I was going to call the local muck raking news paper in the morning if I got another fax they some how fixed the problem.

        1. LateNightLarry
          FAIL

          speed dial

          I had a similar problem a few years ago, with the California Department of Fish and Game doing a broadcast fax during off hours to newspapers that someone programmed with my home telephone number instead of the local fish wrap. Took me more than a week to find out who was sending it, and who it was supposed to be going to, because it was dialing my voice line instead of my fax line, and didn't happen every night. After the fourth time, I hooked my computer up to the voice line and left WinFax running. The next morning, I called the daily fish wrap and told them to get it straightened out with DFG. Never got another call in the middle of the night. Fail for DFG and the newspaper.

  8. Woolly Jumper
    FAIL

    and who got sacked for this? Nobody, I'll bet.

    Fine or sack the individuals if you really want to change the culture.

  9. Just Thinking

    Eye for an eye

    Utterly stupid to fine a council.

    They should identify the person responsible* and publicly release sensitive information about them. Starting with their salary.

    *I mean the person responsible for ensuring systems are in place to avoid this sort of error, not the minion who accidentally pushed the wrong button.

  10. Citizen Kaned

    fine their dept heads

    why should taxpayers be made to suffer!?

  11. Anonymous Coward
    FAIL

    How does...

    ... one public body fining another public body achieve ANYTHING?

    That department will now need to make further budget cuts which will probably endanger more kids and cause more cock ups.

    Better solution - force the offending staff and their supervisors to go on training courses, paid for with the fines gathered from private companies (who will really feel the sting of a fine and have motivation then to sort their own garden out).

    1. Kubla Cant

      Even better...

      ...force the offending staff and their supervisors to go on training courses *in their own spare time*.

      Mark you, these people generally have such an over-generous holiday allowance that spare time isn't at a premium. Perhaps it should be "force the offending staff and their supervisors to go on *really boring* training courses, and pass exams at the end".

  12. Jon Press

    Barristers should know better than to ask them to fax information like this...

    I think the wigs and gowns are probably a bit of a giveaway when it comes to demonstrating their familiarity with the modern world.

  13. Anonymous Coward
    Flame

    Sigh....

    ...yet again misinformed commentards trolling away.

    1. This is probebrly not the councils fault. it's the shitty 3rd parties living in the dark ages. They won't accept some documents any other way.

    2. Faxes ARE more secure than email (to the dick saying it may be in reception, well your emails may be read by 20 other managers or IT staff). The problem sending it to the wrong number is no different than a typo in the email address.

    3. Faxes have delivery confirmations. Emails confirmations are often a case of yes, it's hit our email system, now good luck.

    4. Chances are it is written documentation, so you need a scan to email system set up to send it by email (see above about still can go wrong).

    5. Probebrly time sensitive, so no good sticking it jiffy bag.

    6 Who's to say the barrister gave out the correct number? Trust them to own up and say they fucked up?

    Finally the person is fucking human, How many ass wipes here have dialled a wrong number? Well you should quit your jobs now you useless sacks of shit, any idiot can use a phone.

    1. Anonymous Coward
      FAIL

      Sigh again

      1. Yep, so the council didn't make the mistake in the first place. It's their fault if they can't key in a phone number properly. The fact that the receiving end insists on fax is another issue.

      2. Email are secure too. Faxes can be read by any Tom, Dick or Harry with no trace of who read them whilst they've been sitting on the machine. At least you can tell who might have read the email whilst it was on the server since the persons will have the right security admin levels so can be traced. Reading an email whilst it's in transit is just bunkum. Yes it can happen but the work involved means it's not worth it. And emails are even more secure with PGP et al.

      3. Emails can have delivery notification. A simple request to email back is all thats needed.

      4. So it's written. But the original is likely to be digitial so can be emailed, rather than printed, faxed, and then scanned into the receiving end's CRM system (or other data management system). If the original was physical then it can be scanned in. A digital copy is better handled in any kind of office.

      5. Email are just as quick as faxes, even quicker sometimes since faxes still go at modem baud rates not broadband speeds.

      6. Well we don't know who fucked up. But double checking phone numbers, especially if it's a new contact should be standard procedure.

      We are all human, but phonebooks on fax machines and address books in email systems help minimise the mistakes we make.

      Finally, if it would be better to punish the stupid person not the council. Not a huge amount, not lose their job, but they should be able to learn from their mistake. The council should be penalised in a non-monetary way (publicity) and the council staff who allowed sloppy procedures to build up should also be punished and allowed to learn from their mistake.

      1. Anonymous Coward
        Anonymous Coward

        Your points...

        1. invalid, you can easily mistype an email address.

        2. Bizzarely enough Barristers fax machines are unlikely to be in a public place, because errm they need confidential information perhaps. If Joe public (or anyone) else has access, chance are they are far more incriminating thing laying around, you know things called case files?

        3. Ha ha ha haaaa. Do you think they will do that?

        4. Why is it bound to be digital in the 1st place? You clearly have no idea how house vists, interviews etc are transcribed. And ever tried signing your signature on your pc screen (piss off about digital signatures, they are not allocated to 10's of thousands of individual employees).

        5. Never mentioned email speed. Post, you know thing that funny man in shorts.=put through your front door. Unless you get Jiffy bag emails.

        6. Who said it was a new contract?

        As for speed dials. How big a memory do these have? 10, 20 99?

        Well with someone like social services they proberbly have in the range of thousands if not 10's of thousands of people they deal with, Landlords, Laywers, Police, Immigration. often they want written confirmation of details and won't accept an email.

  14. The Fuzzy Wotnot
    Pint

    Why?

    While I welcome the fines for this sort of thing, it now means due to the utter f**king twattery of my local council's employees, I will now have my local "rates" or whatever they are called now, put up!

    When you think about it, what is the point in fining government infrastructure bodies? Sack the useless twat that made the cock-up or their manager, but taking money away from a council body to the detrement of local services, great idea! Tell you what, let's just go down to Battersea and kick a few puppies around too eh?

    Yet some huge corp, of which the directors are personal mates with some MP or other don't get squat levied against them when they f**k-up handling our personal data!

  15. Davey1000

    Fining Bungling Councils

    Fining councils seems fairly pointless to me as at the end of the day it is the Council Tax payers who have to pay. I used to work for an organisation that took a very dim view of bunglers. In particular one had to be careful not to end up getting the dreaded Black Edged Memo. Two Black Edged Memos and one would be getting the sack. Along with the BEM came loss of annual increment. Why not apply these sanctions to council officials who bungle? Fining the council makes no sense at all.

  16. Chris Miller

    The purpose of a fine

    Is to discourage others from making the same mistake (or the original offender from repeating it). But how can a mistake like this - a simple typo in a fax number (or, as it might have been, email address) - be prevented? As long as phone numbers or email destinations have to be entered (or selected from a list) by a human, there's a possibility of error - and Sod's Law says that it will occur to some critical message.

    When my clients ask me: "how can we stop this happening to us?", I'd like a better answer than: "keep your fingers crossed".

    1. Vic

      Preventing errors

      > But how can a mistake like this ... be prevented?

      Sensitive data should go by a different route that other data - a dedicated email system or fax machine.

      And you lock down the number of possible recipients very carefully.

      It won't entirely prevent sensitive data being sent to the wrong person - but at least you know that it will go to someone with whom you already have a reasonable trust relationship.

      Sending sensitive data through the "normal" fax machine => instant dismissal.

      Vic.

      1. Chris Miller

        Good try, Vic

        and I can think of circumstances in which it might work. But consider a social services department. The majority of messages are going to contain sensitive data and will have to go through the "special" system, which then effectively becomes the "normal" system and you're back where you started.

        Many of my clients, including commercial operations, are in a similar position. Data Loss Prevention systems can provide a partial answer, but they have limitations and rely on correct configuration and I'm concerned about this brave new world where a single human error (OK two errors in this case) can result in a massive fine.

        Note that this is quite different from a situation where (as happened in another very recent ICO case) a business doesn't apply encryption to portable data and then loses the data. That's readily predictable and preventable and deserves a massive fine.

        1. Vic

          It wasn't hypothetical, you see...

          > I can think of circumstances in which it might work.

          It does work. I've done exactly this on numerous occasions.

          > The majority of messages are going to contain sensitive data

          If that really is the case, then it is entirely inappropriate to have the ability to export data directly to a general-purpose email system. What is *required* is a management application to control such export - so you might have a handful of addresses qualified to accept any data, but for the most part, each record in the DB is associated with zero or more addresses to whom that data may be sent. Modifications to those qualified addresses is checked (by double-entry, supervisor sign-off, etc.), and attempts to circumvent the system are classified as gross misconduct.

          It's not the cheapest setup imaginable - you're adding quite significantly to the database load - but it is foolproof: it can only fail when at least two people are grossly negligent, or someone of sufficient authority deliberately commits a data breach that he knows will get him fired.

          We have some fairly strict Data Protection laws in this country. If they were actually enforced occasionally, fewer people would claim things were "impossible" or "too expensive". We have data breaches because the penalty for failing to put in place preventative measures is way, way too low. I'm not convinced that fining public bodies changes that in any way.

          Vic.

  17. JaitcH
    Happy

    @ What's the point in these fines?

    The fines will make the office of the ICO self-financing and therefore a zero cost to government.

    It's win win situation, the IcO keeps his job and the Exchequer appreciates the cash.

  18. Anonymous Coward
    Thumb Down

    Mistakes?

    "We are sorry that these mistakes happened and have put processes in place to try to prevent any recurrence,"

    It wasn't mistakes it was incompetence, especially the second incident as "lessons should have been learned" by that one.

    The only process needed is to sack incompetent staff and that includes management.

  19. doofus

    Council efficiency

    Why not fine the council and ring fence the council tax so that fines come out of council operational budget for salaries - less/no pay rise or increase in pension provisions - a sort of performance based fine. Your **ck-up, you pay - not the tax payer.

  20. Anonymous Coward
    Paris Hilton

    S'easy really

    All Council fines to be taken from the wages budget or bonus budget not from operational budgets.

    It might make sense for a council employee to have wages in part basic salary and in part bonus?

    That way fines can be taken from a bonus pot (I'd guess that would mean senior managers on very little bonus and low wage employees on 30/70 split between salary/bonus which just goes to show there probably is no systematic fairness solution where employees are prepared to abuse)

  21. Anonymous Coward
    WTF?

    huh?

    ""We are sorry that these mistakes happened and have put processes in place to try to prevent any recurrence," it said."

    so what they did before was just randomly hitting a few numbers on the keypad and hit FAX without checking, and the new 'processes in place' are looking at the number display and compare if correct? Really?

  22. Anonymous Coward
    Joke

    Publishing and UK local authorities

    In order to ensure publishing information does not compromise the content holder, individuals or the Council we have extended our Publishing department. The Publishing Department will have a Director with emoluments in the range of £250,000. This is justified as it represents a cost of less than three fines assuming the level of fines is not ramped up.

    A Director has been appointed (it just so happened that a 16 year old child with A* rating in GCSE DTP has been appointed. The child belongs to family of the Council leader and will receive daily support and encouragement while in post otherwise child's dad will give him a jolly good talking to.)

    Now then, the precedent. The precedent is that a local authority has been found guilty.

    What usually happens in the UK is that a complaint might be made. If the complaint has good basis word is leaked out. By the time the complaint has been investigated changes have been made and observed but without any quoted commencement date hence complaint unfounded.

    If the councils don't wish to do that an Ombudsman may be appointed to make investigation in which case if the complaint looks to be upheld the Ombudsman will inform council's that papers will be filed for three months and looked at again.

    In the fourth month Ombudsman looks at stuff and finds that basis for the complaint is not evidenced hence the complaint is dropped.

    1984 is - how you put it? - so dull by comparison?

  23. Anonymous Coward
    Unhappy

    In our organisation ...

    ... the policy is:

    enter the number into fax memory;

    check the number by sending a blank fax;

    phone to confirm it's been received;

    sned actual fax;

    phone to check it's been received.

    Orf course no-one follows the procedure.

    The other alternative is secure email (there are approved email systems for public bodies) or as an encrypted attachment to an email (256 nit AES or above).

    Solicitors, courts and barristers do tend to demand faxes and demand them now. We tend to refuse, or at least work within legal timelines unless we receive a Court Order. Being intimidated into hase tends to make for mistakes.

    I'be just been threatened, by a barrister, with a summons to appear in court if I don't give up personal medical information NOW. I've asked her to send the expense claim form.

  24. Anonymous Coward
    Anonymous Coward

    Let's not fine the council?

    'cos they'll be able to employ 2 fewer rude, arrogant, lazy, overpaid, useless bureaucrats that money would otherwise pay for. And it would have the effect of placing councils above the law. Do I hear the same complaints if it was a private company being fined? i.e. one that creates productive jobs, lives or dies by the quality of its products and services? One that just like a council may have to respond to a fine by cutting staff or increasing prices?

    Worst of all the council will pay the offenders loads of redundancy money and protect their generous pension.

    Anyway, glad the info comissioner is using his teeth, maybe he'll fine the ****s who make phone calls to my TPS registered number (at 2:00 a.m last week). The legislation allows for a fine of £5k for each call made to a TPS numbeR. That power has NEVER been used.

  25. Steve Davies
    WTF?

    usual council response. - i.e. cr@p

    "We are sorry that these mistakes happened and have put processes in place to try to prevent any recurrence"

    Errm, processes ? Plural. ?

    How many were missing.

    Surely an amended procedure is all that should be required.

    Missing mulitple processes is an admission of absence of 'due care'.

    So more toes blown off there by the 'spokesman' (i.e. b/s'er )

    I am told that just about the only tort they can get done for is misfeasance and that would be a hard row to how in this case as intent and (pre)knowledge would be impossible to prove.

    Howver council employess are are not immune in any way to criminal charges.

    Now the ICO has made this finding witll the CPS be bothered.

    Fat chance.

    ICO was right to hit them. he is not a judicial person so all the usual args re comity etc that the courts use to not punish or interfere with or overturn council unlawfullness don't apply to him.

    Sackings called for - its the only way. Will it happen ? No chance. or if it does it will be a scraificial low life or someone who already has an exit plan in place and a safe landing place ready to use.

    Public servants - my ar$e.

    Question authority - its your constant duty.

  26. Ewan Robson
    Thumb Up

    Don't fine - sack

    I must say I have had a good chuckle at some of the comments and in short I agree mainly with the idea of fining/sacking of the responsible person, i.e. the Director. Why fine an organisation that is strapped for cash because it will be the public who will pay.

    As for the technical argument (E Mail against Faxing) both have a common denominator and that is the member of staff. Yes Faxing is more direct but costs money, e mail, unless encryption is in place, less secure but cheaper. You decide?

    I will tell you now the council and A4e will be bricking themselves right now and too right.

    I am just intrigued to see who will get the biggy £500,000!!!!!

  27. Alan Brown Silver badge
    Troll

    email - security arguments

    Even with all the arguements about routing email, the ONLY way to secure it is to use end to end 2-key encryption (4 keys required)

    If you're going to do it the modern way then ffs do it right - and as far as faxing handwritten stuff is concerned, a scanner is all of about 10 quid these days....

    A long time ago I used to get faxes directed to a finance company which insisted on giving out the wrong area code. After 2 years of complaining, the faxes stopped coming in within days after I started faxing back the forms with "REJECTED, POOR CREDIT RISK, BAD DEBTS" written across them.

  28. Astarte

    Procedures

    Having been involved in transmission of sensitive information the recognised correct method is to telephone the intended recipient, confirm their identity or authority to receive such information and confirm their fax number then ask them to wait at the fax machine. The fax is then sent and the recipient has to confirm receipt. If the confirmation is not received an investigation can be initiated immediately and appropriate action taken. The first step in this case is to send a statutory notice to the same number regarding how to deal with the fax.

    It is the sender's responsibility to confirm correct receipt of the fax. The sender's fax machine should not have automatic re-send activated.

    This is a simple procedure which should be in the sender's job description along with a notice regarding action to be taken if the procedure is not carried out.

This topic is closed for new posts.

Other stories you might like