Council fined for randomly emailing personal data Surrey County Council has been fined £120,000 by the Information Commissioner's Office for breaking the Data Protection Act. The council was rapped for three separate offences. Firstly, in May last year it sent mental and physical health information on 241 individuals to the wrong group email address. Recipients included cab …
Whats the point of this farce? One section of govt fines another section of govt and the taxpayer picks up the bill.
Until they start fining (and sacking) the INDIVIDUALS responsible this sort of crap will go on and on and on.
Typical (and all too common) public sector incompetence and the tossers will still have a job this time next year.
Try landing your employer with a £120k fine in the private sector and see how long it is before you're escorted off site.
"The file was not encrypted or password protected."
Cos it would have been ok if it was "password protected", wouldn't it?
Why are we saying this as if it makes any difference to the leaked information? There really needs to be more effort from everyone to hammer the point home that as a method of security, "password protection" is as useless as locking your front door when you have no walls.
Firstly, why is it suitable to populate and disseminate an excel spreadsheet with sensitive data? Surely there is a better/more secure way to do that? Or if you have to, why send the spreadsheet, why not a link to some secure internal shared space? Even if the link gets out - dead URL contained in it.
Secondly what's the point of a Government body fining another Government body? Surely the Council's bigwigs will just shrug this off, it's not their money. Why not fine the directors (or equivalent in public sector bodies) personally, each at this level. The threat of a £120,000 personal fine would mean I'd certainly tighten up all the procedures as a matter of priority.
In the meantime, the good citizens of Surrey suffer either via a Council Tax rise to cover this, or a reduction in services to make up any shortfall. The Council itself, bar some bad publicity, is in the clear.
"Information Commissioner Christopher Graham said the council had paid the price for failing to handle sensitive data appropriately or to have security measures in place."
He means the people who live in that borough paid the price through more cuts to their local services or increases in council tax to pay the fine right?
To fine the council tax payer.
Fine the pension fund of the chief executive then the council will take more notice and work to prevent this kind of stupidity.
Fire the people who sent the emails out as well.
Charging the public purse for the failures of individuals will achieve absolutely nothing.
this country. The council doesn't have the resources to train it's staff to make sure these idiocies don't occur, and the best way to deal with that is for the courts to take away more resources by fining them.
Wouldn't it have been better if the court had ordered the council to spend that money on training, or for implementing safe guards ? Like a proof reader type person who could manually validate the post before it went out.
ALF
"Surrey County Council has been fined £120,000" - No I think you'll find that ultimately tax payers have been fined £120k.
Don't bother giving fines to these public bodies – none of them view it as real money anyway; it's about time those responsible are strung up from the nearest lamppost and made to pay for their utter incompetence!
doesn't work. It only hurts the ratepayers because the council will just factor the fine into its budget and raise rates accordingly. What needs to happen is that the oiks responsible for sending the emails should be PERSONALLY fined. Then it doesn't affect the ratepayers, and the idiots responsible get an expensive lesson on why to treat other people's information with respect.
This is just the tip of the iceberg, only that the majority of the problem doesn't involve personal data.
The entire council has a policy of non-transparency and avoidance of responsibility. It's a wonder they didn't attempt to cover this up and threaten the people complaining to the ICO with dismissal.
"Soon after that incident in June, the council sent a second email containing personal data on several individuals to 100 people who had registered for a council newsletter."
Oh well I suppose they at least got their money's worth from their council tax that month!
Honestly what the flipping heck is wrong with these dingbats? How about putting a block on the email servers that quarantines anything with attachments coming in or going out? Alright it's not perfect, but better than just sending stuff and only realising it some days later when it's way too late to be able to do anything. If someone has to release emails there is at least a "paper-trail" of responsibility.
"Information Commissioner Christopher Graham said the council had paid the price for failing to handle sensitive data appropriately or to have security measures in place."
Oh really? You mean the council tax payers are going to pay the price in reduced services in order to meet this fine. Did anyone's head roll?
"...said the council had paid the price for failing to handle sensitive data appropriately..."
Really someone in the council should be responsible for ensuring they do the right things (even if they don't have the title 'data controller'). What happened to them? Have they had their hands cut-off? Slap on the wrist even?
Fining the council does nothing except further punishing the people of Surrey, since there will be less money to pay for ther services.
I'm glad to see the ICO starting to grow some teeth, but I think that they need to be bared more often, and used against PEOPLE who are the cause of the issues.
" ... the council had paid the price for failing to handle sensitive data appropriately ..."
Actually, Surrey ratepayers (poll tax..) will pay the price, in reduced spending on services or an increase in their payments next year.
I'd like to see fines of this nature levied on executive salaries/bonuses and managerial bonuses, over a three (or so) year period. Yes, dream on, I know.
but was unable to verify what happened to the information.
Are there people out there who really believe that works?
Another MS-foisted Outlook problem.
If public orgs realy had a clue, info like that would be on a secure server linked to users with one-time URLs , not needing to be emailed at all - just like a decent content delivery network
*sigh* Until people are actually made to pay for their mistakes, through disciplinary action or losing their job, this will keep happening. It's always "lessons learned" and "new procedures", but it needs each and every person handling confidential data to (1) KNOW how to secure it, and (2) THINK about possible risks.
"Surrey Council has since added an alert function when sensitive information is sent to an external email address."
Hopefully this stops sensitive information going out rather than notifying after the fact. But how would such a function work? Does sending of an Excel spreadsheet trigger it as it's well known that it's used The Database.
You'd think that after the first incident, they'd have got in the habit of at least using password protection.
The newer versions of Excel (for example) encrypts a password protected file and currently the only (public) way to get to the info is by brute forcing the password. I'm talking about password locking the file, not a sheet (which is still insecure).
"Surrey County Council has been fined £120,000 by the Information Commissioner's Office for breaking the Data Protection Act."
Should read:
"Surrey Council has been fined £120,000 by the Information Commissioner's Office for breaking the Data Protection Act but no one at Surrey Council will be punished and the people of Surrey will actually pay the fine through their Council Tax."
Poeple of Surrey, sack someone senior in the Council in a very public manner so that other Councils will learn and ensure the Executive of Surrey Council do not get a bonus this year.
If you can recall it, it's not email.
Want an analogy? If you're quick enough you might snatch something back out of company pigeonholes or even the "in" tray on someone's desk. But getting anything out of a post box requires at least waiting for the collector, but were I him I'd not let you without some sort of proof you put the letter in there in the first place. As for letter boxes, that'd be breaking at least if not quite entering.
Likewise email. If you've handed the mail off to someone else's email handling machine, it's no longer in your power to recall. If you don't understand that, you really don't have business using the service. So it's not a valid argument.
are they paid?/do they understand? The majority of staff on yer local council do not even understand computers let alone the security issues such as encryption. How many are 45+ yrs. old? You have local council managers applying cost cutting across the board - more "work - i.e. duties" for the same pay with little or no training. These workers do not understand exactly what the keystrokes mean ffs! They just do the job. Any confidential info.should be held on an encrypted file anyway. Local govt. is broken as far as these issues are concerned - if the high street banks can't be arsed to do anything about it, what price your local council? FFS!
Paris - 'cos she can be arsed, allegedly...........
Staff doing this should face disciplinary procedures, to understand the seriousness of the transgression - AS SHOULD THEIR MANAGERS.
I'm glad the ICO is starting to bare its teeth but they need to go after some of the more egrarious offenders such as advertising compasnies which are still scraping data,
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
