From the Information Commissioner’s Office:
The London Borough of Barnet has been issued with a penalty of £70,000 for losing paper records containing highly sensitive and confidential information, including the names, addresses, dates of birth and details of the sexual activities of 15 vulnerable children or young people.
The loss occurred when a social worker took the paper records home to work on them out of hours. The social worker’s home was burgled in April last year, and a laptop bag, containing the records and an encrypted computer, was stolen.
The ICO’s investigation found that the council failed to take appropriate organisational measures against the accidental loss of personal data held on paper records. Although the council had an information security policy and some guidance for staff on handling sensitive papers, the measures failed to explain how the information should be kept secure.
Today’s penalty comes after the council signed an undertaking in June 2010 following an earlier incident, during which an unencrypted device containing personal data was stolen from an employee’s home. While the council later introduced a paper handling policy following the undertaking, this policy was not in place at the time of the second loss.
Simon Entwisle, the ICO’s Director of Operations, said:
“The potential for damage and distress in this case is obvious. It is therefore extremely disappointing the council had not put in place sufficient measures in time to avoid this second loss.
“While we are pleased that Barnet Council has now taken action to keep the personal data they use secure, it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. This includes storing papers containing sensitive information separately from laptops.”
View a copy of the monetary penalty
Update: PublicService obtained a response from the council to the fine:
A spokesman for the council told Publicservice.co.uk they accepted the ICO’s judgement, but said they were “very disappointed that the commissioner has fined the council in this instance”.
“This data loss was the result of a criminal act where a member of staff had their house broken into and material that was under lock and key was stolen,” the council said.
“The ICO also accepts that it was appropriate for the member of staff to have this material at home for this period.
“There is no evidence that the material taken has been misused in any way.”
The council raises some valid points. Was this a good use of the ICO’s power to impose monetary penalties?
If the papers were stolen from someone’s car, we’d be pointing out how irresponsible it is and not debating whether the ICO was right in fining the breached entity.
The council says “lock and key” but it appears to refer to the front door to the employee’s home. I don’t consider that to be no more a secure environment than a locked car. From a B&E point out view, what’s the difference, really?
If you’re going to claim that you had proper security because documents were locked, at least show me a strong box or a lockable desk drawer or something. I find the term “under lock and key” to be misleading under the circumstances. The documents were kept in a laptop bag that contained a laptop. I mean, come on! That’s far cry from “under lock and key.”
The fact that the council is claiming the “protected” nature of the data as a key reason for being disappointed with the penalty, plus the claim that there is no evidence that the stolen material was not misused (the security blanket of cowards), indicates to me that they have yet to get a clue. If they hadn’t been previously slammed with an Undertaking, I bet they’d be making the same claim had there been an unencrypted computer with sensitive data stolen on this occasion.
Honestly, how is it any different from what actually transpired?
Now I’m so worked up that I’m going to repeat the above in my own blog.
The difference is that it was okay for the employee to have the papers at home. It’s never okay to leave documents in an unattended car. So I understand your point about having more security in the home, but in general, leaving something in a car puts it at higher risk than leaving it in a home.
I think what bothers me about this fine is that the ICO already knew that the council didn’t have adequate security in place, but rather than just make this incident part of one whole undertaking, they issued an undertaking on the first and then a fine on something that happened within the same time period.
Do note that there have been other incidents of documents stolen from homes. And in those cases, there was no fine issued.
So yeah, this one didn’t seem right to me on a few levels.
I think Sang has a valid point really.
Knowledge or possession of sensitive material should be strictly limited to those cleared to have access to the information.
If the documents were left on a desk within locked offices would that have been a problem? Yes they are in a controlled invironment but not everyone has the right to be able to view them.
IN todays environment of remote working does an individual really need to print documents off and take them home or can they keep them on a secure encrypted laptop etc