ICO fines Glasgow City Council £150,000 for laptop loss

Two laptops, one of which contained data about 20,000 people, were stolen in May 2012

The Information Commissioner's Office (ICO) has fined Glasgow City Council £150,000 for the loss of two unencrypted laptops, one of which contained personal details about more than 20,000 people.

Glasgow City Council's breach of the Data Protection Act comes three years after it received a similar penalty for the loss of USB sticks, which also stored personal information.

The laptops were stolen during office refurbishments in May last year, having not been stored away securely despite previous worries about security at the council. One of the laptops contained the council's creditor payment history file with personal information on 20,143 people, including the bank account details of 6,069 of them.

An ICO investigation discovered that - despite previous warnings - Glasgow City Council had provided staff with unencrypted laptops after there had been problems with encryption software. At least 74 of these laptops remain unaccounted for, with at least six of them known to have been stolen.

"How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief," said Ken Macdonald, the ICO's Assistant Commissioner for Scotland.

"The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people's details have been compromised."

Macdonald criticised Glasgow City Council for failing to learn from a previous data breach.

"Glasgow City Council was issued with an enforcement notice back in 2010 after a similar incident where an unencrypted memory stick was lost. To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow.

"The council should be held to account, and the penalty goes some way to achieving that," he added.

The ICO has ordered Glasgow City Council to carry out a full audit of its IT estate and to arrange for its managers to undergo training.

Commenting on the case, security analyst Bill Walker said:

"Despite the billions of dollars being spent each year on security products such as firewalls and intrusion detection systems, organisations need to consider that the biggest risk facing them comes from their staff misplacing confidential data. The stakes are so high, the theft of high-value intellectual property, perhaps a patented formula or other innovation, could lead to a company losing its competitive advantage and, ultimately, result in commercial failure.

"Organisations need to focus on educating their staff and enforcing policies to ensure that data is safe at this level. Each and every staff member should be responsible for the security of the technology rather than relying on the security technology to do it for them. These measures can help an organisation avoid the kind of financial penalties that Glasgow City Council faces today."