UK councils fined £150,000 for data loss, but who gets the cash?

Filed Under: Data loss, Law & order

folder with padlockTurns out that password protection just ain't enough anymore. Councils need to encrypt laptops as well, and this was an expensive lesson for London councils of Ealing and Hounslow to learn.

According to the Information Commissioner's Office (ICO), Ealing council provides an out-of-hours service staffed by nine work-from-home employees. This team are responsible for collating and recording information on clients from the Ealing and Hounslow councils on their laptops.

So far, so good.

Except that two of these council-issued laptops were stolen from an employee's home. The ICO reports that the laptops contained details of almost 3000 individuals. Despite encryption being part of the council security policy, the laptops only had a password to protect the individuals' privacy.

The good news is that there is no evidence to suggest that the data was accessed by an unauthorised third party. Nevertheless, Ealing and Hounslow councils were fined £80,000 and £70,000 respectively for breaching the Data Protection Act.

What occurs to me here is that once these fines are paid, who should be the benefactor?

Following the incident, both councils contacted the individuals whose data was at put at risk. I am sure these councils will be reviewing their security policy at a result of this action from the ICO, and let's hope other councils realise the costly implications of having unprotected personal data on their computers.

If you want to learn about how to protect against data loss, you can request Sophos's Data Leakage for Dummies or visit this page for information on how to avoid becoming a data loss headline.

You may also want to check out the views of Sophos's Graeme Stewart, who blogs about public sector security and rarely minces his words. His latest post is entitled: "Exactly what sort of deterrent are these ICO fines?"

, , , , , , ,

You might like

4 Responses to UK councils fined £150,000 for data loss, but who gets the cash?

  1. Wild Bob · 1704 days ago

    Nevermind where the money goes - where does the money come from - that's right -council tax payers are footing the bill for council bungling.
    These fines could have payed for employing a decent security professional.
    Not the first time Ealing council has been caught with the information security pants down either - having been hit by a virus outbreak costing them a large amount of money to rectify.

  2. PhilCat · 1688 days ago

    Maybe sensitive data should only be on external secure flash memory that can easily be hidden in plain site vs in plain site laptops.

    If stick is inserted into wrong machine, it's deleted in a flash before it can be opened.

    If high profile $3-5k machine is always in view as you travel, someone is going to want it more than you.

  3. blondandy · 1678 days ago

    I work for the NHS. Similarly we have laptops, and it has been decreed that these should be encrypted. However, they are old and rubbish. When the encryption is installed, it makes them even worse. It takes 20 minutes from the machines being turned on to actually being able to start a program to do something.

    So perhaps the money could go towards getting better hardware that actually makes encryption feasible.

  4. Mick A · 876 days ago

    It's time someONE, not some ORGANISATION was made accountable and fined. Rather than the people whose data were compromised having to suffer again by THEIR hard earned cash being used to pay a fine to a crime where THEY were the victim; fine the person in charge of data security, or better still the leader of the council.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Hi. I am a social, brand and communications expert with 10 years in senior roles in the tech space. I'm currently Sophos' s Global Director of Social Media and Communities. Proudest work achievement? Creating and launching award-winning Naked Security. Outside work, I am a mean cook, an avid reader, a chronic insomniac, a podcast obsessive and blogger .