ICO Doles Out Penalty to 2 Councils for Data Breach

Bob Styran, IT audit expert
February 08, 2011 /

For the fourth time since its first data breach related fines served to Stoke-on-Trent City Council in November 2010, the Information Commissioner’s Office has once again brought up its power against two councils for losing unencrypted laptops that contained highly sensitive personal information.

Ealing and Hounslow councils received an order from the ICO to pay £80,000 and £70,000 respectively after the two councils have violated the Data Protection Act when they allowed their employees to carry the unencrypted laptops without enforcing tight security measures.

The ICO added that Hounslow council’s mistake was when it failed to have a written contract with Ealing to monitor proper discharge of functions.

Ealing provides out of hours service operated by nine employees working from home. These employees get their contact lists from various sources and keep personal information of different individuals in laptops that were not encrypted. Around 1,700 clients of Ealing and Hounslow have been exposed to the data breach.

Although the laptops are password-protected, the fact that they have not been encrypted raises security concerns among the clients affected, the ICO said.

On the other hand, the ICO maintains that no indication of data breach has been reported at the moment.

“Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough,” said David Smith, deputy information commissioner.

However, Valerie Surgenor, an IT and IP specialist lawyer, has challenged the actions of ICO which she observed is constantly directed against government bodies.

“We need to ask why is this the case when we can see from notices on the ICO website that breaches are also carried out by private companies on a regular basis, but it would appear they don’t seem to be getting targeted,” Surgenor said.

It can be noted that ICO did not impose similar fines on Google when its Street Views cars had collected payload data that contained passwords and email addresses. The search giant only signed an undertaking ordering the company to improve the way it handles sensitive information. Google could have been fined £500,000 from the data breach.

The ICO said it would conduct a full audit into the internal privacy practices of Google, its privacy training programs, and systems of reviewing privacy matters for new products.

ICO’s first imposition of fines was handed out to Stoke-on-Trent City Council for losing the memory stick containing reports from the court and information about the care proceedings of 40 children.

An investigation showed that maximum security measures in place were not followed as anybody could open files in the USB device which has not even been password-protected.

Following the data breach, the council has since signed an undertaking committing it to strengthen its security measures on personal data handling.

 

Share your opinion