Glasgow City Council has been fined £150,000 for a serious data breach, following the theft of unencrypted laptops.
The council has been issued with the monetary penalty by The Information Commissioner’s Office (ICO) after the laptops – one of which contained the personal information of 20,143 people – were stolen from the council's offices in May last year. This serious breach of the Data Protection Act comes after an enforcement notice three years ago, following the loss of an unencrypted memory stick containing personal data. In the latest incident, the laptops were stolen from premises which were being refurbished and where complaints of theft and a lack of security had been made. One machine had been locked away in its storage drawer and the key placed in the drawer where the second laptop was kept. However, the second drawer was subsequently left unlocked overnight, allowing the thief access to both computers.
One of the laptops stolen contained the council’s creditor payment history file, listing the personal information of over 20,000 people, including the bank account details of over 6,000 individuals.
The ICO's investigation revealed that the council had issued a number of its staff with unencrypted laptops after encountering problems with the encryption software. While most of these devices were later encrypted, the ICO also discovered that a further 74 unencrypted laptops remain unaccounted for, with at least six of these known to have been stolen. This was in spite of the previous warning and in breach of the council's own policy.
The ICO’s Assistant Commissioner for Scotland, Ken Macdonald, commented: “How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief. The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised."
Mr Macdonald continued: “Glasgow City Council was issued with an enforcement notice back in 2010 after a similar incident where an unencrypted memory stick was lost. To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that."
The ICO has also served the council with an enforcement notice requiring a full audit of its IT assets used to process personal data, as well as arranging for all of its managers to receive asset management training. The council must also carry out a full annual check of all of its devices so that the asset register can be kept up to date.
Guidance on the use of encryption software is available on the ICO website.