ICO fines city council £150,000 over data breach, 74 missing laptops
The Information Commissioner’s Office has fined a city council £150,000 after a major data breach and the subsequent revelation that 74 of the authority’s laptops had gone missing.
The ICO’s investigation came after Glasgow City Council voluntarily reported the theft of two unencrypted laptops in May 2012.
One of the laptops contained the authority’s creditor payment history file, which listed personal data for more than 20,000 people. The bank account details for more than 6,000 individuals were also held in the file.
The laptops were stolen from offices that were in the process of being refurbished. The computers formed part of larger ‘laptop packs’ and had been issued to two employees (‘employees 1 and 2’) who were required to work flexibly.
The ICO’s report said employee 1 had locked her laptop pack in a storage drawer before leaving work on 25 May 2012. She then left the drawer key in employee 2’s storage drawer.
When employee 2 left work on 28 May, he put his pack into his storage drawer but forgot to lock it. The following day he discovered that both his laptop pack and employee 1’s drawer key were missing. It was then discovered that the key had been used to unlock employee 1’s storage drawer and steal her laptop pack.
Employee 1’s laptop did not contain personal data, but employee 2’s computer contained the payment history file, which he had downloaded for work purposes.
Both laptops were unencrypted due to problems with the council’s encryption software.
“However, despite being aware of these problems, [the council] did not prevent its IT supplier from issuing unencrypted laptop computers to employees in breach of its own standing instruction,” the ICO reported.
Both employees had been aware of Glasgow’s requirement that laptops should be securely stored when not in use.
However, the offices were insecure because of the refurbishment. The council was aware that thefts of equipment had previously been reported there. The two employees had also requested encryption, but without success, the ICO said.
The watchdog’s investigation subsequently found that there were 74 missing laptops, “some or all of which may contain personal data”. Of these, six were known to have been stolen.
The ICO had previously issued the council with an enforcement notice in 2010, after an unencrypted memory stick holding personal data was lost.
The watchdog has now issued another enforcement notice, which includes a requirement that the council arrange for all of its managers to receive asset management training.
Glasgow has since taken some remedial action. This includes: implementing port control; updating its asset register; and attempting to recall the unencrypted laptops for encryption.
Ken Macdonald, the ICO’s Assistant Commissioner for Scotland, said: “How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief. The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.
“Glasgow City Council was issued with an enforcement notice back in 2010 after a similar incident where an unencrypted memory stick was lost. To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that.”
A Glasgow City Council spokesman said: “This data loss should not have happened and we took immediate steps to ensure it does not happen again. It is important to note that the number of unencrypted laptops was already coming down when this theft occurred.
“The council co-operated fully with the Information Commissioner’s Office and wrote to everyone potentially affected to advise them of the data loss. The ICO acknowledges there is no evidence that any bank accounts have been targeted, that the council immediately informed it of the theft and that we carried out significant remedial action.”
Also this week, the ICO has fined Halton Borough Council £70,000 over a data breach relating to an adopted child and the successor body to Stockport Primary Care Trust £100,000 after sensitive records were found at one of its former sites.