Turns out that password protection just ain’t enough anymore. Councils need to encrypt laptops as well, and this was an expensive lesson for London councils of Ealing and Hounslow to learn.
According to the Information Commissioner’s Office (ICO), Ealing council provides an out-of-hours service staffed by nine work-from-home employees. This team are responsible for collating and recording information on clients from the Ealing and Hounslow councils on their laptops.
So far, so good.
Except that two of these council-issued laptops were stolen from an employee’s home. The ICO reports that the laptops contained details of almost 3000 individuals. Despite encryption being part of the council security policy, the laptops only had a password to protect the individuals’ privacy.
The good news is that there is no evidence to suggest that the data was accessed by an unauthorised third party. Nevertheless, Ealing and Hounslow councils were fined £80,000 and £70,000 respectively for breaching the Data Protection Act.
What occurs to me here is that once these fines are paid, who should be the benefactor?
Following the incident, both councils contacted the individuals whose data was at put at risk. I am sure these councils will be reviewing their security policy at a result of this action from the ICO, and let’s hope other councils realise the costly implications of having unprotected personal data on their computers.
You may also want to check out the views of Sophos’s Graeme Stewart, who blogs about public sector security and rarely minces his words. His latest post is entitled: “Exactly what sort of deterrent are these ICO fines?”