By Brian Davidson, CIPP/E
The Information Commissioner's Office (ICO) has issued Glasgow City Council with a 150,000 GBP monetary penalty notice following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
The laptops were stolen from the council's offices—premises which were being refurbished and where complaints about theft and a lack of security had already been made—on 28 May last year. One of the laptops stolen contained the council's creditor payment-history file, listing the personal information of more than 20,000 people, including 6,069 individuals' bank account details.
The breach of the UK Data Protection Act comes after the council was previously issued with an enforcement notice three years ago, following a similar incident where an unencrypted memory stick containing personal data was lost.
The latest ICO investigation found that, despite their previous warning and in breach of the council's own policy, the council had issued a number of its staff with unencrypted laptops after experiencing problems with the encryption software. Whilst many of these laptops were later encrypted, the ICO subsequently discovered that a further 74 unencrypted laptops remain unaccounted for, with at least six of these laptops known to have been stolen.
The ICO has also served the council with an enforcement notice requiring it to carry out a full audit of its IT assets used to process personal data and arrange for all of its managers to receive full asset-management training. The council is also required to carry out a full check of its devices each year so that its asset register can be kept up-to-date.
Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.