Aberdeen City Council has been hit with a £100,000 fine (about $150k) by the Information Commissioner’s Office (ICO), after an employee took sensitive files home and accidentally uploaded them to a public website.
The data, which included information on vulnerable children and details of alleged crimes, was on display for three months before it was spotted and taken down.
The incident started in November 2011, when an unnamed female council worker worked on council files on her own second-hand computer at home. These files apparently included minutes of meetings and detailed reports relating to the care of children.
The investigation into the incident failed to pin down whether the documents were accessed using remote access to council email or carried home on a USB stick, but at some point after being copied to the My Documents folder on her laptop the files were posted online by some unspecified software, thought to have been installed on the system by a previous owner and either started automatically or accidentally activated by the hapless employee.
Once online they were not noticed until February 2012 when another council employee stumbled across them when doing a search for their own name, and they were promptly removed from the website. The exact location the four files were posted to is also unspecified in the ICO report.
The ICO found huge gaps in the council's policies regarding home working, which seem to have focused entirely on health and safety with no regard for the security of sensitive data, and even those policies which had been drafted were not being enforced:
In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council’s existing data protection guidance was being followed.
The Data Protection Act, found to have been breached in this case, allows for fines of up to £500,000 for the most serious data breaches.
This case highlights a wealth of common problems with working from home and BYOD (Bring Your Own Device) practices. Any business or institution dealing with sensitive data – which is just about anyone really – needs to think carefully about how that data is secured when it’s being accessed remotely by staff, just as much as when handing it over to third parties.
Strict and comprehensive policies need to be put in place, clearly demonstrated to staff and strongly enforced with both technical and regulatory controls.
The rules need to cover what data can be accessed, from where and by whom, how data is accessed, transferred and handled, and what systems can be used to work on data.
The BYOD issue usually focuses on smartphones and tablets being brought in to work, but personal laptops remain the default tool to enable home working. Imposing the same level of application control, anti-malware and other security features is far more difficult than in systems built and monitored by dedicated IT staff.
So staff training is also vital – from the sound of this case, where the employee in question appears to have been unaware of what was running on her pre-owned laptop, it seems that IT skills were not considered an important part of her job, but people need to take more care to know what the tools they are using are capable of before they blindly trust them with information which could be incredibly sensitive to leakage.
Hopefully this good-sized fine will be an eye-opener to anyone dealing with personal information, particularly local government where data sensitivity is high but IT infrastructure tends to be disparate and creaky and skills are often minimal.
They need to wake up to the dangers of home-working and BYOD, and make sure they do all they can to minimise the risk.