ICO fines Glasgow City Council £150,000 for unencrypted laptop chaos
- 07 June, 2013 18:31
Glasgow City Council has been fined £150,000 and heavily criticised after failing to encrypt dozens of laptops, including one containing the personal data of thousands of people that went missing from its offices.
In total, 74 unencrypted laptops are believed to have been lost or stolen from the Council, many of which probably contained persona data but it was a single theft in May 2012 that raised the most serious concerns.
In that incident, a laptop containing the personal data of 20,143 individuals and 17,692 businesses was stolen from its offices along with a second machine. In 6,069 cases, this included bank account details as well as names and addresses.
Both had been locked in office drawers but, importantly, neither had been encrypted due to "problems with the data controller's encryption software."
The ICO discovered that Glasgow City Council was aware of this technical problem but allowed unencrypted laptops to be issued to employees in contravention of its own guidelines.
The employees had also been aware of the need for machines to be stored securely but their efforts had been compromised, the ICO inferred, by refurbishment work to the Council's offices which raised the risk of theft.
During the breach investigation it emerged that dozens of other laptops had also been issued in an unencrypted state, including at least six that had been stolen.
"How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief," said ICO assistant commissioner for Scotland, Ken Macdonald.
"The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people's details have been compromised," he said.
Worse still, Macdonald said, was that the Council had been issued with an enforcement notice in 2010 after losing an unencrypted memory stick.
"To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that."
Without doubt, the Council would have faced a far larger fine had the loss happened outside its offices. That the laptops had at least been locked inside a drawer in its offices probably saved it from a record fine.