Information Commissioner's Office
|Printable version||E-mail this to a friend|
ICO fines Glasgow City Council £150K
The Information Commissioner’s Office (ICO) has issued Glasgow City Council with a monetary penalty of £150,000 following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
The serious breach of the Data Protection Act comes after the council was previously issued with an enforcement notice three years ago, following a similar breach where an unencrypted memory stick containing personal data was lost.
In the latest incident, two unencrypted laptops were stolen from the council’s offices on 28 May last year. The laptops were stolen from premises which were being refurbished and where complaints of theft and a lack of security had been made. One laptop had been locked away in its storage drawer and the key placed in the drawer where the second laptop was kept, but the second drawer was subsequently left unlocked overnight, allowing the thief access to both laptops.
One of the laptops stolen contained the council’s creditor payment history file, listing the personal information of over 20,000 people, including 6,069 individuals’ bank account details.
The ICO’s investigation found that, despite the ICO’s previous warning and in breach of its own policy, the council had issued a number of its staff with unencrypted laptops after encountering problems with the encryption software. While most of these devices were later encrypted, the ICO also discovered that a further 74 unencrypted laptops remain unaccounted for, with at least six of these known to have been stolen.
Ken Macdonald, the ICO’s Assistant Commissioner for Scotland said:
“How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief. The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.
“Glasgow City Council was issued with an enforcement notice back in 2010 after a similar incident where an unencrypted memory stick was lost. To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that."
The ICO has also served the council with an enforcement notice requiring it to carry out a full audit of its IT assets used to process personal data and arrange for all of its managers to receive asset management training. The council must also carry out a full check of all of its devices each year so that the asset register can be kept up to date.
The ICO has produced guidance on the use of encryption software which is available on the ICO website.
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO regulates the Data Protection Act 1998, the Freedom of Information Act 2000, the Privacy and Electronic Communications Regulations 2003 and the Environmental Information Regulations 2004. In Scotland, freedom of information is a devolved matter and Scottish public authorities are subject to the Freedom of Information (Scotland) Act 2002 which is regulated by the Office of the Scottish Information Commissioner in St Andrews
3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Not transferred to other countries without adequate protection
If you need more information, please contact the ICO press office on 0303 123 9070.