The Craven District Council (quite the unfortunate name, that) has signed an Undertaking with the Information Commissioner's Office. A laptop which contained information on 2,300 children was stolen. The device as not protected with disk encryption software like AlertBoot. So why weren't they fined?
I keep track of ICO monetary penalties. In the last three months, the ICO has been handing out significant fines, recently passing the £1,000,000 milestone in total fines handed out. In one case involving Powys County Council, a penalty of over £130,000 was assessed because one child's sensitive information was sent to the wrong person. And yet, Craven District Council only gets a slap in the wrist for compromising the information on 2,500 children? What's going on? Well, there are significant differences between Craven and Powys: The missing information is not deemed sensitive "Security devices" were used, allowing police to respond to the theft within minutes The laptop was at in the office, where it was supposed to be Again, it appears that encryption software was not used. However, since the information was not deemed sensitive, it's not the end of the world. What the ICO appears to be implying is that it's important that attention be given to potential security risks and that these be resolved appropriately. The ICO is not asking for perfect security. On the other hand, Craven District Council had to sign an Undertaking because they forgot some key, basic actions: securing the device and keeping it out of sight: The intruder was able to immediately remove the laptop and escape just as the police arrived. This was because the laptop had been left unsecured on a desk in a position where it could be seen from outside the office.
I keep track of ICO monetary penalties. In the last three months, the ICO has been handing out significant fines, recently passing the £1,000,000 milestone in total fines handed out. In one case involving Powys County Council, a penalty of over £130,000 was assessed because one child's sensitive information was sent to the wrong person.
And yet, Craven District Council only gets a slap in the wrist for compromising the information on 2,500 children? What's going on?
Well, there are significant differences between Craven and Powys:
Again, it appears that encryption software was not used. However, since the information was not deemed sensitive, it's not the end of the world. What the ICO appears to be implying is that it's important that attention be given to potential security risks and that these be resolved appropriately. The ICO is not asking for perfect security.
On the other hand, Craven District Council had to sign an Undertaking because they forgot some key, basic actions: securing the device and keeping it out of sight:
The intruder was able to immediately remove the laptop and escape just as the police arrived. This was because the laptop had been left unsecured on a desk in a position where it could be seen from outside the office.
As part of the Undertaking, the head of the Craven District Council has agreed to: Encrypt any devices that contain sensitive information Securely store any devices that contain personal information Use physical security measures to prevent unauthorized access Provide employee training Pretty standard, as Undertaking promises go. Had Craven District Council lost a laptop with sensitive information on 2,500 children, though, you can bet they'd be facing a different standard: penalties worth hundreds of thousands of pounds.
As part of the Undertaking, the head of the Craven District Council has agreed to:
Pretty standard, as Undertaking promises go. Had Craven District Council lost a laptop with sensitive information on 2,500 children, though, you can bet they'd be facing a different standard: penalties worth hundreds of thousands of pounds.
Related Articles and Sites:http://datalossdb.org/incidents/5657-stolen-laptop-contained-child-swimming-lesson-details-on-2-300-children