ICO fines council £100,000 for data breach by home worker

Last year the Information Commissioner’s Office (ICO) served Aberdeen City Council with a monetary penalty of £100,000 following a serious data breach involving sensitive information about vulnerable children being published online by an employee working from home.

This is the latest in a series of fines for security breaches imposed on public sector data controllers, but there are implications for the private sector too. A spokesman for the ICO urged those in social work to: “sit up and take notice of this case by taking the time to check their home working set‑up is up to scratch”.

The focus may be on the public sector for now, but it will not be long before the spotlight moves to the private sector.

In this case, an employee accessed documents, including reports and minutes of meetings containing sensitive information about children, families and alleged criminal offences, from her home PC.  The documents were automatically uploaded online by a file transfer programme installed on her computer.  The incident took place in late 2011 but the documents remained accessible online until February 2012, when the breach was inadvertently discovered by a colleague carrying out a search against their own name and job title.

Under the Data Protection Act 1998 (the DPA), organisations must take ‘appropriate, technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.  Particular care is needed when processing sensitive personal data, such as information about health and medical records or, as in this case, criminal offences, due to the harm that could result from unauthorised disclosure. The ICO has the power to issue penalties of up to £500,000 for serious data breaches.

Investigating this breach, the ICO found that the Council had failed to monitor how personal information was being used and had no guidance to help home workers look after such information.  On a wider level, the Council also had no checks in place to see whether its guidance it did have in place in other areas was being followed.

Home working, remote working and BYOD (Bring Your Own Device) security are currently under the spotlight and if you have not already done so, now is the time to revisit your policies and procedures. There may be financial consequences for organisations that do not ensure that personal data, in particular sensitive personal data, is secure when accessed remotely.   There are a number of ways in which organisations can seek to ensure compliance, including getting the help from a reputable IT security company. MFG’s data protection solutions provide secure, full disk encryption for laptops, PCs and Windows tablets.

Article Courtesy of BDB Law.

Share This: