London councils fined thousands over lost laptops

The Information Commissioner's Office has levied fines of tens of thousands of pounds against the councils, following the theft of two unencrypted laptops in the spring of 2010
Written by Tom Espiner, Contributor

The Information Commissioner's Office has fined two London councils over losses of unencrypted laptops containing sensitive data.

Ealing Council was fined £80,000, while London Borough of Hounslow Council was fined £70,000, after the two laptops were stolen from an employee of Ealing Council in a burglary in the spring of 2010.

The devices contained the details of 958 Ealing Council clients and 698 Hounslow constituents, according to an Information Commissioner's Office (ICO) ruling published on Tuesday (PDF). One of the laptops was issued by Ealing, while the other was a personal laptop belonging to the employee. Both were password-protected, but not encrypted, despite this being forbidden by both councils.

The ICO decided to levy the fines after finding that both councils were not monitoring their processes properly, and that there were systemic failures to protect the data, a spokesman for the data protection body told ZDNet UK.

"Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order — otherwise they too may have to learn the hard way," deputy information commissioner David Smith said in a statement (PDF).

Ealing Council said that the laptops had been stolen from a council officer that needed the information for urgent out-of-hours calls.

"Once the burglary was discovered we informed the police, who assessed that the risk of the information being used was very low, and we alerted the information commissioner," the council said in a statement. "We regret the unfortunate loss of the personal data and have introduced new procedures to guard against future incidents."

The council officer was one of a team of six who are used to home working and working unconventional hours, according to the ICO. The lost data included names, date of birth, age, gender, ethnicity and action taken by the team.

An Ealing Council spokeswoman declined to give any details about the nature of the data because of its sensitivity. Services run by Ealing Council include children and young people's services, such as fostering and youth offenders' programmes, and social care, such as child protection services and mental health services.

Hounslow had sub-contracted out some of its out-of-hours services to Ealing as a cost-saving exercise, a Hounslow Council spokesman told ZDNet UK. According to the ICO, Hounslow handed over its data to the Ealing employee without making sure that Ealing Council was following its own policies for keeping information secure.

Hounslow Council said there was no evidence that the information on the laptops, which have not been recovered, had been accessed.

Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order — otherwise they too may have to learn the hard way.
– David Smith, ICO

"We accept the information commissioner's conclusion that we should have taken additional steps to ensure that, in practice, Ealing was applying security measures to the data it collected on our behalf," Terry Welsh, Hounslow borough solicitor, said in a statement. "We are now acting to ensure that a rigorous programme of compliance monitoring is implemented."

Welsh added that Hounslow's laptops are encrypted, and the council has information security policies in place.

These are the third and fourth fines levied by the ICO. The first fines of £100,000 and £60,000 — against a council and an employment agency, respectively — were announced in November. Since the ICO received the power to impose penalties of up to £500,000 in April, privacy campaigners have criticised the ICO for not fining large organisations for data protection breaches.

Smith stressed that companies and organisations must put encryption on mobile devices containing sensitive data.

"Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops," Smith said. "Where personal information is involved, password protection for portable devices is simply not enough."

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards