Council punished over theft of laptops from locked room
They forgot the sign saying 'Beware of The Leopard'
Privacy watchdog the Information Commissioner's Office (ICO) has taken action against a local authority which lost two laptop computers, despite the fact that they were stored in a locked office and password-protected.
The ICO has found that the Council was in breach of the Data Protection Act (DPA) and The Highland Council has signed formal undertakings promising to encrypt all mobile devices.
The laptops contained personal details on 1,400 people and included medical information on some of them. The computers were password protected and stored in a locked office, but they were not encrypted. The ICO said that "no additional physical security measures were in place".
"The stolen laptops contained sensitive personal information, including health records," said Ken Macdonald, assistant commissioner. "I urge all councils and their executive teams to ensure that data protection is treated as an important part of corporate governance. Safeguarding sensitive personal information must be embedded in their organisational culture. No public body can afford to take risks with personal details, least of all health records."
A formal undertaking signed by Council chief executive Alistair Dodds commits the Council to encrypting all mobile devices containing personal data by the end of September.
Many of the data breaches involving public bodies in recent months and years have involved lost machines or devices taken from clearly vulnerable locations. The formal undertakings, though, suggest that simply locking computers in a room is not good enough for the ICO.
The undertakings orders the Council to ensure that "physical security measures and procedures are adequate to prevent the theft of devices that contain personal data, the loss of which could cause damage or distress to individuals".
The ICO can ask companies that have breached the DPA to undertake certain behaviour that it thinks will fix the problem. It cannot yet take direct action against companies or organisations for breaches of the eight principles underlying the DPA.
The ICO will be given powers by Government to issue direct fines to organisations whose behaviour represents a knowing or reckless breach of the principles.
Though the extent of the fines is not yet known OUT-LAW.COM revealed this week that the new powers will come into effect in April 2010.
The council's formal undertaking can be read here (pdf).
Copyright © 2009, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
All that will happen is that the laptops will be encrypted (BTW, this is Microsoft's big seller for Vista Ultimate into government at the moment) and the password will be stuck to the lid.
Governments want our information on a Database!
The ID Cards bit seems to have done a runner temporarily.
Numpties, plain ol' numpties ...
I think this is a bit overboard. It's not like all the physical Doctor and medical notes are written in hieroglyphics or some complex encrytion. There was clearly restricted access to the media, yes it would be more effective if the content were encrypted but I don't think it's like the council were leaving memory sticks and laptops on tube trains. Ahem.
punish the residents
OK, put aside the ins and outs of this particular case and just how many locked rooms a lappy with personal data has be stored in to satisfy this particular QANGO. Let's talk about what will happen in the future, now that we have been told the ICO are being given the power to levy fines.
In times to come they will have the right to extract money from transgressors. In the case of fining a local authority, just who gets hurt? Not the individual who's lax observance of the rules led to the lapse (well, they might get told how naughty they've been and please don't do it again, or we'll have to suspend you on full pay and send you to your room), as council workers are pretty much bullet-proof: short of causing people to die, anyway. Nor will blame be apportioned to the committees that came up with the inadequate security measures in the first place.
Given that in future those local authorities who are found guilty and fined for their shortcomings will not suffer the consequences themselves, it's hard to see what the point of punishing their tax-payers would be.
The fine will become the burden of the council-tax payers. It will reduce the council's available cash, so either they will raise council taxes to account for it, or they will reduce services to balance the budget. Given that they are not accountable to their "customers", who most councils regard as merely a source of never-ending revenue: it's difficult to see how imposing a financial penalty on an organisation who will just pass it on to the innocent, but easily-tappable residents would be any sort of deterrent.