The Register® — Biting the hand that feeds IT

Feeds

Barnet and West Sussex breach DPA

Unencrypted USB, CDs AWOL with 9,000 kids' details

By Kable, 8th July 2010
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The Information Commissioner's Office has taken action against Barnet and West Sussex councils after the theft of IT containing sensitive data about children.

The watchdog said that personal information about children had been lost by the two authorities because of a "systemic" lack of staff IT training. Both councils were found to have breached the Data Protection Act.

In the case of LB Barnet, an unencrypted, non-password protected USB stick and CDs containing sensitive personal information about more than 9,000 children and their families were stolen from the home of a staff member.

According to the ICO, the employee had downloaded the data onto the unencrypted devices without authorisation. But it was later discovered that Barnet provided neither training nor security to prevent such downloads.

Before the incident, the ICO had conducted an audit of the north London authority that highlighted a lack of staff training.

A similar incident occurred at West Sussex CC when a laptop with personal information about an unknown number of children involved in childcare proceedings was taken from the home of an employee.

Again the laptop was unencrypted and enquiries by the ICO revealed that the employee had received no formal training on data protection or IT security.

The ICO also found that more than 2,300 unencrypted laptops were likely to be in use across West Sussex's various services, although steps are now being taken to encrypt these.

Barnet and West Sussex have now signed formal agreements to ensure that staff will be made fully aware of their respective policies for the storage and use of personal data.

Furthermore, the authorities have undertaken to provide training on data protection and IT security and to ensure that portable devices used to store sensitive information are encrypted.

Sally-Anne Poole, enforcement group manager at the ICO, said: "These councils have shown a poor regard for the importance of protecting children's personal information.

"It is essential that councils ensure the correct preventative safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.

"A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands."

This article was originally published at Kable.

Kable's GC weekly is a free email newsletter covering the latest news and analysis of public sector technology. To register click here.

Cloud based data management

COMMENTS

House Rules Send Corrections
All Reader Comments (21)
Highly Rated
Code Monkey

Depressingly familiar

Not shooting the messenger here, Reg. You're right to report it but this kind of story is becoming depressingly familiar. I fear the planned public sector spending cuts will mean that data-handling training is only going to get worse.

4
0
Anonymous Coward
Reply Icon

vpn? secure log in? encryption?

Find me a local authority that doesn't have an it department that could advise on the safe handling of such sensitive data. I think you need to read the data protection act and see why your attitude (don't blame us we're busy) is so very wrong

3
0
JimmyPage

Sigh - I'll fix this

Losing personal data - especially that given under statutory duty (i.e. where the person giving the data has no choice by law) should be a criminal offence. Pure & simple. Like driving offences. We can then have a lawyerfest whilst the meaning of "reckless" and "careless" are debated.

All employees in contact with personal data should have a minimum qualification (ECDL ?).

After all, an employer couldn't get an employee to drive a car if they haven't got a license (certain minicab firms notwithstanding).

If an employers negligence can be shown to have lead to a data breach, the directors can be found vicariously liable.

There. You see what I did ? I treated the handling and possession of personal details seriously.

3
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
Jailed LulzSec hacker Cleary coughs to child porn images, will be freed soon
Some images of infants as young as six months
68
NSA whistleblower to tech firms, Obama: 'Grow a pair!'
Ed Snowden: Email tracking grabs 'IPs, raw data, content, headers, attachments, everything'
66
NSA: We COULD track you by your phone ... if we WANTED to
Honestly, too much work, can't be bothered
54
Google flings another £1m at online child sex abuse vid CRACKDOWN
See, see, we're trying, ad giant tells Daily Mail UK.gov
41
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
SCO vs. IBM battle resumes over ownership of Unix
Zombie lawsuit back and wants to suck the brains out of Linux
119
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Not just telcos, THOUSANDS of companies share data with US spies
It's all perfectly legal, trust us
68