No way should an Individual employee be responsible for the total security of data on mobile devices. All I can do as a laptop owner is ensure that it is turned off/locked at any point that it is not in use. if such data is being transported or stored then as the PGP dude said, it is the responsibility of the enterprise and should be encrypted by default.

Give them their job back, and place the blame in the right place, and sort your data security out.

That's some serious buck passing, right there. Nice to see bureaucracy working.

.. he had his laptop on holiday with him?

Surely we have got to get away from this idea that we've got to take work with us everywhere we go!

As mentioned in the article - ultimately the responsibility lies with the Boards of the companies and organisations involved. If they create a culture in which people feel they have to have work with them 24/7 then this will happen.

But it does show that the Hospital involved must have a very bad work culture.

"The unanimous decision of the disciplinary panel sends out a clear statement about how seriously the Trust takes security and patient confidentiality." says Murphy. Well brains, if the Trust took it that seriously they would have taken the steps to roll out encrypted data store. It doesn't have to cost a lot, although, seeing as it's the NHS they will pick the most expensive solution when they eventually get their fat lazy heads around to it. Here's a tip, TruCrypt, it's free as in beer and will stop the average laptop thief stumbling across confidential information. Now there's no excuse.

(The one with 'Angry C*nt' stamped on the back)

springs to mind.

You have to ask what the manager was doing with a work laptop containing patient data with him/her on holiday in Edinburgh. Although it is the organisation's responsibility to ensure proper policies and procedures are in place it is the individual's responsibility that they follow them and take appropriate care with equipment and information. Taking it on holiday isn't.

If this chap took a work laptop containing confidential information on holiday, left it unattended in his car, then yes, he should be reprimanded.

Locking the laptop and having it password protected is as much security as can be expected from non-IT staff, but even having it in a position where it is stolen like this is a little daft.

Theft from the home is unforseeable, but leaving it in your car while on holiday is easily avoided.

More to the point ... what was sensitive data doing on an employee's laptop in the first place. All sensitive data should be kept in the database and should not leave site under all but exceptional circumstances (i.e. offsite backups etc) and those circumstances should be strictly controlled and tightly secured.

He left his work laptop, full of valuable data, unsecured in a car whist on holiday. Is that someone else's fault too?

Is there any such creature available for the manager to appeal to? If so I'd be on the phone immediately and gouging the hospital for a nice fat settlement based on wrongful dismissal, etc. This was their fault. Then of course I'd go on holiday again with the settlement money.

I agree, as I'm sure the board which sacked him would... I can only think that this guy had the data on the laptop without authorisation - ie. he copied it off some network share when in the office, so he could "work" while sunning himself in his garden or something.

If an employee takes data off the network without seeking proper authorisation, then it's their fault if something happens to that data.

Would make a good TV show for public sector organisations.

The Corporation is at fault for not providing encryption, but also I think the Manager is at fault for leaving his laptop in his car.

Simple rules from the anti-car crime adverts, don't leave it on display, like the sign says on work vans, no tools left in van overnight, my laptop and other media kit are my tools. This manager is also a tool.

All I can do as a laptop owner is ensure that it is turned off/locked at any point that it is not in use...

You could also try to not leave it unattended in a car. Anyone with basic common sense should know it is not a good idea to leave anything of value in a car. I certainly wouldn't, would you?

However why are these people allowed to take the data in the first place.

Surely the could do a remote terminal login to a central server that requires user:pass to access data would be a far more secure and simple option that allowing goverment users to allow to take data with them on HDD.

That way if they do have their laptops stolen, and as usual the accounts are unencrypted at least all that will be on the laptop will be a few files and the terminal software with an account that can be changed or deleted instead of GB worth of personal information on joe public.

*\. Mines the one with the folded peice of paper on which is scribbled in a moment of madness "Most people are Fuktards!"

Hospital manager has his laptop stolen from his car (presumably locked) is sacked.

Mumpet from the government, gets of a train and leaves top secret military plans on a seat is what ? Sacked ? Given a severe talking to ? A dressing down in the golf club...

Whilst I would agree about the encryption side of things, it's possible that he's been disciplined for leaving it unattended in a car - which is quite likely to be against company regulations.

Certainly where I work now (Bank), where I worked before (Telecoms Company), and even the place before that (IT "Services Company", actually an overgrown box shifter) had it specifically listed as something you're not allowed to do.

Of course, we're in the situation where EITHER being fixed would have been 'good enough', so the IT director should ALSO be fired for not having adequate protection in place.

I think that the responsibility in this case is two-fold...the responsibility of the individual to keep his laptop stored securely (i.e. not leaving it in his car) and the responsibility of the board to make sure that hospital data and machines are secure anywhere at any time...not having an encrypted storage device is criminal nowadays as the technology is not immature and not overly expensive or difficult to deploy...for the sake of all, give the man his job back with a reprimand and look at yourselves!

Of course he shouldn't be responsible for the security of the data, but he should be more aware of the ownership of the hardware at least.

If someone takes something belonging to their employer and leaves it unattended in a car then they deserve to be sacked for it, let alone doing it whilst away on holidays.

Work laptop is for work not holidays.

What was he doing with confidential patient data ON HOLIDAY?

Sack him. Oh, they did.

No they are right to sack the guy - why did he have the laptop with him whilst on holiday ? And why was it left in the car ? Thats not how you treat company property with sensitive data on it.

He probably got sacked for having that data on his laptop in the first place rather than losing it - which is common and, lets be honest, accepted as something that just happens.

Since it was a unanimous decision I suspect it must have been something else than the actual loss.

There is probably more to it than that. For instance, the rule might have been that laptops weren't to leave the hospital, let alone be taken on holiday with employees. This stinks of disciplining him for taking the laptop, but attaching the blame of the robbery too so to keep the board looking squeeky. One bird with two stones, so to speak.

B

Surely this isn't stil happening? After all the laptops the intelligence services have lost one would like to think that people, especially some of the countries vital organs such as the NHS and government, would have learnt to actually plough money into data encryption and not their bank accounts. surely it's better to have a secure job that doesn't pay as well as it could over a well paid job that lasts a week because someone's after a five fingered discount?

mine's the one with the handbook of common sense in it's pocket....

Excuse me. The guy takes confidential data ON HOLIDAY with him and its somehow not his fault? It should not have been on the laptop under those circumstances. Full stop.

If you really believe that its not his fault, then I have this nice bridge over the East River that I'm sure you'll want to buy.

IMNSHO confidential data shouldn't leave the server except as a backup or when its requested item by item by an authorised client program connected by a secure LAN or vpn.

He obviously thought that he was indispensible; why else would he take his laptop on holiday?

I can see a lot of people now thinking twice before taking work home with them; you might get a few brownie points for dedication, but the risk seems to be pretty large. Would you employ someone who was fired like this?

A few more details would be nice though; was the laptop visible in the car or locked in the boot (Merkins, that's the trunk)? Was the data supposed to be on his laptop? The story doesn't really indicate whether firing him was over-the-top or justified...

As you all know there are 2 sides to this security game, logical and physical. The logical is ultimately in the remit of IT. Physical, in this case, is the Managers responsibility.

To be honest, in this case, it doesn't matter a rats arse if the data was encrypted or not, the Manager irresponsibly left it in his car to be stolen, therefore he got bagged.

But did they sack him or did they ask him to resign? Very important distinction there, if they want to minimise the chances of this happening again.

"Give them their job back, and place the blame in the right place, and sort your data security out."

The fact that they could fire the manager must mean that they have some security policy in place, that it makes breach of security a very serious offence, and that they can show that the manager was aware of it (eg training records, he/she has signed to say they have read & understood it, etc).

That's a good start.

Now they need to tighten up their systems to ensure that if such data is copied onto a laptop - and there had better be a damn good reason for needing to - then it must be encrypted.

He's a manager so why does he need patient data? If he's doing analysis on the drug/beds/costs then everything bar name and address would be sufficient. As far as I can tell their is no way that data like this should be shifted off of a central db (where it can be called up fro treatment purposes), this is piss poor data management across the board, idiots like this shouldn't be allowed access to personal data.

Alien because that was data security is to the civil service.

... this is just a simple theft then that's a harsh punishment, if however this chap took a laptop with him on holiday that shouldn't have been there (most work laptops are for office, home and not holidays) and then left it on the seat of his car whilst he was jollying it up then that is indeed a sacking offence, as he would have known what was on the laptop. He may not have been supposed to have the records on the laptop in the first place...

the fowkin bosses should take the can as well, not the single recipient of the punishment. no encryption? that is a bigger crime than taking a laptop on holiday and being relieved of it by a discerning crook.

the unfortunate thing is that the bloke DID have data on a laptop that should not be leaving on holiday under normal circumstances anyhow.

so serves him right. but his bosses have gotten it light and are using him as an excuse to sound off about serious enforcement of their terrible data management structure.

the poor bloke was just, by extension, a victim of his superiors' bad planning. i hope this wakes their policy team up a little.

would of been implemented under Fujitsu's plan for the NHS but where seen as "overly complicating things"... which says a lot about the support that FJ had from the client really doesn't it?

the N.H.S is its own worse enemy, the management has no back bone to enforce these things and when something like this happens they make a scape goat out of the nearest person.

Surely the press statement should read,

“Patients and the public should be reassured that the Trust NOW takes security and patient confidentiality very seriously."

I think you'll find the fact that it had confidential data on it was inconsequential. He just needed something that would play DVD's to keep the kids quiet for the long drive up to Edinburgh!

Sack him!

Work during working hours.

No laptops.

Data never leaves the office.

No outsourcing.

Development done by long-term employees, during office hours

All very simple

Taking the laptop with him on vacation - not a problem.

Having client data available in the clear on the laptop - a problem

Whose problem? If there was a policy prohibiting the use of confidential data without encryption, or prohibiting it from use on mobile devices, or requiring encryption on all mobile devices - he deserved it.

If the security policies were lax, and this poor sap just happened to be unlucky enough to be the first one to lose a device with critical data in the clear, then he's just a patsy.

Presumably he had the laptop on holiday because he's expected to be contactable and put in some unpaid overtime. it's the norm in he public sector now too!

I'm not saying don't sack him, but the fact that data's allowed to be unencrypted is senior management's fault. Trouble is these days although there will be written guidance, everyone knows it's unworkable, and everyone will ignore UNTIL something like this happens. Then hapless employee gets told exactly what the rules are, whilst his managers look uncomfortably at their shoes during the hearing, thinking "there but for the grace of god", without having the backbone to admit they're guilty too.

he did deserve to lose his job, but at the end of the day the upper management are equally at fault. The apparent lack of a coherent and enforced security policy should be addressed....with some senior cast off's...

"the fowkin bosses should take the can as well, not the single recipient of the punishment. no encryption? that is a bigger crime than taking a laptop on holiday and being relieved of it by a discerning crook."

Not really. If the laptop was kept in a (feasibly) secure location (i.e. work or the home) then encryption shouldn't be necessary. Leaving a company-owned machine in a car while on holiday (why has he got a business machine on his pleasure trip? I can't take my work PC home to play games on during my hols, I had to buy my own) is removing the effective security put in place. What you're suggesting is that we should have multiple levels of security put in place to cover the same issue.

One way to improve this would be to make the employee pay for the laptop. I bought my laptop for use at a voluntary organization and (call me overprotective), but I know exactly where it is at all times - even when driving the car doors are locked and it's never left in the car if I can help it (and if it were, it'd be hidden in the boot or something, not left in plain view). These guys have all the tech provided for them, so they don't care if it gets broken/lost/stolen cos they'll just get a new one (probably even an incentive when they want an upgrade to a new machine)

I've been scouring the press for details of civil servants and military people who were disciplined in any way.

Can't find any.

Firing is absolutely the right thing to do.

Let's stop making excuses for incompetence, please.

I wonder if this is the same manager who was told he had to have the report ready the day he returned from holiday, so he was forced to take his work with him? The same manager, perhaps, who was never told about the availability of encryption software to keep things safe and was told that "locking the laptop" would be sufficient, because the board of governors were too damn cheap to pony up for proper data security?

Yes, leaving the laptop in the car was stupid. But I still smell "scapegoat".

Let me provide some needed insight that a few commenters are missing and shine a light on the human drama, without plugging encryption tools.

Just before this manager left work for his well deserved holiday there were some pretty important reports to be finished that no one else could be bothered with at the time. Looking back volunteering for this task was a bit stupid, but the silence at the meeting was a bit awkward and embarrassing at the same time. "Yep. I'll have a look at those" was out before he realized it and he forgot about the upcoming holiday. His wife however, was not so forgetful and was p-ed off by the appearance of the laptop when they packed the car. It took miles before that subject finally died, leaving the manager exhausted trying not to look like the sucker, without playing the NHS budget card.

When they finally arrived at their holiday destination, the laptop was one of the first items the manager wanted to secure, if the dog had not escaped to freedom.The oncoming traffic barely missed the dog. The screeching of tires was deafening and the horror on the kids' faces spoke books. Seeing our manager clumsily with the laptop in his hands whilst the dog nearly getting killed was a picture that infuriated the misses. This was not a good start. Quickly the laptop was tossed in the back of the car and the dog's leash picked up from the road.

Later that day, on a terrace with a half-downed pint in his hands, the manager's mind wonders off to another meeting earlier this year when encryption was discussed. "Policies is what we can afford, no techie tools or fancy consultants and their software". This was the official guide line and there was no support for spending budget on eventualities.

Now the kids and the dog come running back from the parking lot looking all excited, bless them.

Luckily our company does not deal with the general public, but the chances of our PHB being able to encrypt data are slim. I got called in for at least the fifth time yesterday to show him how to copy & paste.

No. Really. I'm serious.

.... just wish my company would implement this sort of policy. Leaving laptop in car = breathtaking stupidity that is pretty much inexcusable. Even if the bloke was pressured into working on his vacation (and that seems to be entirely conjecture), *anyone* who gave a damn about their job would at least attempt to take better care of company equipment. If the hospital has not implemented an appropriate data security policy, then there is certainly a question of where that responsibility lies, but that does not provide *any* excuse for this sort of behaviour.

More laptops are being stolen whilst kept at home, whilst people are sleeping upstairs ... thieves break-in (quietly), take the laptops, satnavs and other small easily fenced items oh and for good measure they nick the car keys and take the cars as well.

I get to talk to these people who get broken in to like this and thats why I have full disk encryption, encrypted usb sticks and encrypted backups in safes ... and that is just at home 8-) Plus, the burglar alarm goes on at night!

However, this guy probably does deserve disciplining and the trust needs to tell its employees the full terms and conditions that they should work under and what the data protection act etc requires them to do. They all have a collective responsibility though.

My first reaction to the headline was "at long last, somebody's been held personally liable for data loss" but reading earlier comments has made me reconsider my bloodthirsty attitude.

It's clear, in a fuzzy, foggy, vague sort of way, that there is no established protocol covering the use of what, for lack of a better word, we can call "confidential data." By this, I mean an established, universal protocol applicable to enterprises of all sorts, not just the Colchester Hospital, the NHS, or medical operations in general.

Such a protocol might include, for example:

1. Stipulation of a confidentiality level for every data item on file. Names, DOB, ID numbers, telephone numbers, addresses would be among the more highly confidential items.

2. A need-to-know policy that relates all uses of data to the confidentiality level. For example, if a statistical study is carried out, none of the highly confidential data would be available. But note, otoh, that an office receptionist must know names and telephone numbers, among other things.

[PS: points 1 & 2 are written vis a vis medical records. In the business world, proprietary data would also be of the highest confidentiality, but would also have to be available for some statistical analyses.]

3. Universal provision of server space so data is never stored on a laptop or desktop system.

4. A review of this insane idea that one is on the job 24/7/365. Let's have a one-to-one correspondence between hours in the office and hours of work, no work outside those hours at all. IOW, no work at home, while commuting, while on vacation, etc.

5. Hardware solutions like diskless systems, blocking portable storage devices, no individual burning of CDs, etc. Alternatively, if a local disk is essential (not merely something a Big Boss craves), rollout of new machines should include installation of full disk encryption

This is the merest skeleton of such a protocol; I'll leave it to the more highly tuned brains of others to flesh it out in detail and turn it into a viable standard. [And yes, I've repeated points made in earlier comments. No claim for originality.]

The barriers to estabilshing such a protocol and to its implementation are two-fold. First of all, the existing standards mechanism such as the ISO is beyond clumsy and awkward, being a committee effort. I almost have more faith in the one-man RFC than the ISO approach to the formulation of standards.

Second, management are meatheads. Management ranks in many, perhaps all, enterprises of all sorts, are filled with those who have reached, and in many instances risen above, their respective levels of incompetence. Perhaps the only solution is to stipulate that organizational heads are personally responsible, and it's up to them to ensure that the managerial ranks under them fully understand and buy into such standard protocols. IOW, if you are a CEO and not a meathead yourself, you'll have to get rid of the meatheads under you. You can always put them to work swabbing out toilets. Boards would have to be responsible, at risk of dismissal, for ensuring that their CEO isn't a meathead himself.

This second barrier is more severe than it might seem. My own experience is that once an idiot manages to weasel himself into the ranks of management, he becomes an untouchable: no matter what his failures and misdeeds and incompetencies, he will never be fired, not even demoted.

Apologies for an overly long, rambling comment. I hope it provokes further thinking by the tribe of El Reg readers.

Too bad there's no "won't shut up" icon for longwinded screeds like this one. Ballmer will have to do.

Should have been sacked the minute he put the confidential data on the laptop.

why would anyone want to go to Edinburgh for a holiday?

He's a manager, what's he doing with thousands of patient treatment records?

The fact that the data is on his laptop (irrespective of encruption or theft status) should be a disciplinary offence.

To try and mitigate the fool vs scapegoat argument I thought I'd offer the following.

While contracting I had a home/work insurance policy. This covered contents for household, business and travel risks and avoided issues about is X a personal or business posession. It even covered my laptop UNLESS it was unattended/insecure.

Cover was explicitly excluded from a locked motor vehicle which counted as INSECURE.

While this may not apply to every policy I would have thought just leaving the laptop in the car was enough to take blame for the loss of the laptop. To do it with patient data on it is mad. I also wonder why a MANAGER would need to travel home with UN-ANOMYMISED clinical data. For that part the NHS should take the blame, they would not have done it (hopefully) when you only had one paper file for all your patient notes.

You really can't fault the guy for leaving his laptop in the car. That's not the real issue here. He left it in a secure location (behind a locked door) and that's responsible enough. Different story if he left it out in the open for anyone to take -- now we're talking gross negligence.

The problem comes from not encrypting the data and making reasonable safeguards against third-party access. The ones who should be disciplined are the company's IT staff (assuming that this guy's not on that -- if he is, well, yer fault buddy!). They gave him remote access to company data that should be secured properly in the first place.

"You really can't fault the guy for leaving his laptop in the car. That's not the real issue here. He left it in a secure location (behind a locked door) and that's responsible enough."

Sweet Jesus! Where do you live - Rockall???????

Why are users still allowed to put ANY sensitive data on a laptop that leaves the building?

Do you really think that a password and/or local encryption is an acceptable safeguard?

After FINALLY getting upper mgmt to realize these things happen, a couple of years ago we were able to require users to use laptops to ONLY connect to internal systems via Terminal Svr or RDP to their workstations. No data ever has to leave the building and if the laptop gets stolen, there's no sensitive data stored locally to be worried about. I guess I'm still amazed at the number of places that aren't requiring something similar. One bad data theft will cost much more than the price of a Terminal server.

Honestly, unless they had a policy in place that specifically prohibited the user from storing data locally on the laptop... they should not have lost their job (especially not while trying to work during their vacation). If they needed to send a message, it should have been higher up because that's where the "NO's" come from when you want to implement better security on your network.

For a private company mind you

If I had been caught putting confidential patient data on anything and taking it out of the office without express permission I would have been sacked on the spot.

Why does a manager need this information on a laptop? I'm betting he copied it without consent thinking he could work with it while on holiday, and was slapping himself on the back for being so clever being able to get around the workplace security to be able to copy it.

typical arrogant management attitude in my experience.

...there aren't half a lot of sanctimonious tossers here; I'm with both AC "Corporate failure too " and Illsay. This reeks of someone:

a) being required to put in unpaid overtime on holiday, while

b) having to do so on a machine that despite being in an organization with access to sensitive data has unencrypted data on it that

c) should never have been copyable onto a laptop, but should only have been accessible

d) via heavily encrypted VPN.

It's not an individual failure, it's a predictable/predicted systemic failure, and the guy sacked is just being made a scapegoat for it.

Ok, there has been a lot of incredibly high profile data loss stories going on in recent months, but this is surely taking far too drastic action. To dismiss the manager for having his laptop stolen is outrageous... It's not like he asked the theives to come and steal it while he was away.

As has been said, data security shouldn't be managed by the individuals, it should be managed by the business IT dept. What were patients records doing on his laptop anyway? Shouldn't that all be stored in a secure central database somewhere, which the employees access using a VPN of some description, like everyone else in the real world does?

Given that he had the patient details and also the record of their treatments on the laptop it sounds suspiciously like he was helping out a drug company with a clinical trial, perhaps even on the sly against the wishes of the hospital?

The mind boggles about how people can have such a disregard for other people's personal data.

As others have said, the data shouldn't have left the hospital in the first place. At the medical facility I consult at, all PHI data resides on the database servers. Access internally is via thin clients. If someone needs to access data from home or from a laptop, they have to establish a VPN connection first.

The only time PHI leaves the facility is on encrypted back up tapes.

At the end of the day, it's not rocket science.

'More laptops are being stolen whilst kept at home, whilst people are sleeping upstairs ... '

Are you suggesting it's safer to keep our laptops in a car parked outside?

Perhaps the reason more laptops are stolen from homes is that more laptops are kept at home. I wonder what percentage of laptops kept in a car overnight are stolen, and what percentage of laptops kept in the home overnight are stolen.

"why would anyone want to go to Edinburgh for a holiday?"

To get away from Essex.

First, in order to establish a remote connection, there must be a means to access the Internet. If the location you're in happens to lack the means (no landlines, no WiFi, etc.), then you're SOL. But you may still need that data at that moment.

And as for standardising security, I give you one very important question: Who's going to PAY for all this (expletive)? I don't care if it's a matter of life or death, but we can't put in what we don't have. Where's the BUDGET for it?

with remoteapp, xenapp etc being available, and connectivity being near universal, do we actually store anything on portable devices? After all, if you can ring someone to ask them for information or to do some work then they can be online. Data that is confidential should stay somewhere that is both electronically and physically secured, by all means encrypt your laptop but once you have the device, cracking the encryption is a matter of time.

"the BUDGET for it" is in the GBP gazillion nhs it gravy train. Or did someone forget to put security in the spec? Perhaps they can only afford to employ 'managers' whose idea of computer literacy is cut'n'paste?

is going to paying for specific projects provided by service providers*. And yes, security of the sort we're talking about here is not part of it - that's part of the IT budget of individual trusts and it's generally pretty poor.

So much lack of understanding of the real world here it's hard to know where to start.

You can have all the policies in place you like, but you can't readily stop a manager from going to PC world, buying a laptop and copying stuff to it via a memory stick. Correction - you can, there are products which stop sensitive material leaving the network, but you try getting backing or funding for them. I'm currently organising a big encryption project, but you've got people who just won't bring 'em in. OK, I can cut 'em off the network if I have to, but - memory stick again.

You can tell people they must bring their laptop in for encrypting. You can tell them not to take sensitive stuff home to work on, at least not unencrypted. But you can't make them do it. I swear that there are a hard core of users out there with a rule which automatically deletes any email coming from anyone in IT.

Hell, there's places where you're still fighting a losing battle against floppy disks with patient data on them. Why? Because it's always been done that way. I've lost count of the number of keyboards and monitors I've ripped post-it notes off of with the username and password on them.

All you can do is fire people for grossly ignoring the policies, as Colchester apparently did.

Anonymous because it has to be.

*don't get me started on their ideas of what's secure.

This must be the first instance that I have ever seen of an NHS manager being held accountable. We need more of this; much more.

How very generous of "the management" to get the victim of a theft to lose his job. There are several points being overlooked:

a) being able to install anything, never mind encryption software on a corporate machine

b) having the admin rights to do so

c) being allowed to do so by his superiors

d) the IT department not demanding he remove it forth-with

all seem to be over-looked. Seems they just didn't like the poor sod, damned if he did, damned if he didn't.

He's better off out of it if that's their attitude.

Was he authorised to have the data on his laptop? We don't know

Was he authorised to take it on holiday? we don't know.

Was the laptop on full view in the car or locked in the boot? we don't know.

If I was away from work and home, locking the laptop in the boot would be more secure than say taking it into a pub/restraunt or even possibly a hotel.

Maybe the chap had previously warned about one or more of the above aspects, we don't know. But without more evidence he does appear to have been a scapegoat.

For over a year, Ford have had encrypted hard disks on all laptops and stationary computers. The encryption software was deployed across the network and installed without any hitches.

All Ford employees have been obliged to do a short course on basic data security.

People do not like personal data getting lost. It's made worse by the fact that such data is commercially valuable. People do not like their personalities (in a sense) being sold off and pimped to organisations who are only likely to abuse this information for gaining control of and a pecunary advantage.

And Chris Evans "Not enough information" how much would you like? There's lumps of it round the back, going real cheap too, as in Free but and IT would just be a generally generalisation of a bigger thing which would be news?

No, I live in Southern California. Right near some ghettos.

Point is, if you take reasonable methods to secure an item from physical theft with the tools available to you, how can you fault someone for breaking in and stealing it? Hell, I'm the last one to leave the office about half of the week, so it's my job to ensure the doors are locked and the alarm is activated before I go. If someone breaks in and makes off with our equipment, is it my fault? Fuck no, not unless I left the door unlocked or something stupid. At which point, it *is* my fault and being disciplined isn't unfair.

ok, so encryption wasnt installed on his machine, this isnt his fault... the IT department should have done this - 5 minutes and his data would be secure...

taking the laptop on hols, well... if he was doing some extra work, he had all rights to take it, but if it was just for storing holiday snaps and watching DVD's he should have left it...

leaving the laptop in the car.... again noone has clarified if the thing was locked in the boot, under a blanket out of sight... or if a beautiful TX series Sony was left on the passenger seat of his open convertible... the former, well... unfortunate accident, the latter, pure stupidity...

now, for me, the crunch... the sheer volume of data... if he was working on paitent records he would only need a fraction of the files... if he was doing data analysis, then anonymous data as mentioned before, would be more than adequate... what were 'thousands' of paitent records doing there...

He got a stiff punishment, and has been used as an example/scapegoat, but in the current climate of data loss, what do you expect...

<<why would anyone want to go to Edinburgh for a holiday?>> especialy at this timeof year,it's full of b'dy TOURISTS what with the Fringe and The International Arts Festival ,Tattoo etc

Read what I said before. If I know the NHS and the attitude many managers have towards the IT department and security, the IT department has sent him about 50 emails telling him to bring the laptop in to be encryped and he's ignored them.

<q>Laptops

When travelling laptops must not be carried in open view but must be locked in the boot of a car and removed once the journey is complete. If laptops are taken home by staff they must be kept safely and securely, this means that other members of their family and/or their friends/colleagues must not be able to access or use the laptop.

All laptops that leave the security of a PCT building must be encrypted even if the laptop is only to be used for remote access to NHS information systems.</q>

Encryption software has been approved within the last two months. Prior to that the policy read:

<q>Furthermore person-identifiable data must not be stored on a laptop unless it is located and remains in a secure area i.e. an area which does not allow public access, unless the laptop has been encrypted.

At present the Trust is unable to encrypt removable media and is waiting for CfH to complete its central procurement of one or more encryption tools that will assist NHS organisations to secure their patient and other sensitive data.

Information on the use of removable media should have been submitted by managers to the Head of Information Governance as part of the data mapping exercise. This information will be used to identify where there is an operational need for encryption and to inform a planned approach to the use of encryption software once a national solution is available.</q>

Anonymous for obvious reasons

The article did not mention any information security policies, standards, and procedures at the Colchester University Hospital. Are there any? Did the unnamed manager violate policy or was he a scapegoat? Did he take the laptop during the holiday because he might be on-call and he needed the laptop? Or was he watching porn on the company laptop, hence why he needed the laptop during the holiday?