Norfolk County Council sent filing cabinet filled with kids' info to a second-hand shop Norfolk County Council left files containing sensitive information about children in a cabinet that was dispatched to a second-hand shop. As a result of the gaffe, the council, tucked away on the east coast of England, was this month fined £60,000 [PDF] by the UK Information Commissioner's Office (ICO) The cockup occurred …
"It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal."
Or it could have employed people who had a modicum of common sense.
Meanwhile, it's the council tax payers who'll eventually foot the bill.
"It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal."Or it could have employed people who had a modicum of common sense.
Agreed.
If that kind of thing needs to be written down for people to actually think to do it, then we're in trouble. We're also going to need a lot more filing cabinets to hold all the written procedures to make sure people do things that ought to be obvious.
More seriously, I suspect that with the point about "it should have been written down", they're not really trying to suggest that people might have done it differently if there had been a written procedure; it's more about the fact that in the absence of a procedure that's been broken, means that they don't have any ability to discipline the individuals responsible.
If you don't have a procedure then you can't check that things are being done. And you certainly can't make sure they are applied consistently across an organization.
That is my take after a fair few years running an activity accredited to an ISO standard.
Policy -> Procedure/SOP -> monitoring for compliance -> well-deserved bollocking when it goes wrong (technically corrective/preventative actions) ->improved procedures
re Spudley
I disagree. Yeah, there was no written policy for a lowly employee to follow but there sure was a 35 hour a week maximum, loads of time off in lieu, and most Fridays at home, very well paid (and remunerated) "manager" or "executive" whose ROLE it is is to write such a Policy and see that it's adhered to.
Disciplinary procedures against such a person?
Hell NO. At that grade these usually consist of a large PAYMENT to actually leave the job, additional pension payments etc rather than be dismissed. Oh and by the way, here's a similar vacancy two councils down the road.
"If that kind of thing needs to be written down for people to actually think to do it, then we're in trouble."
That's ISO9000 and friends for you. They're bureaucracy standards which are intended to replace thinking so the least skilled or intelligent people you can recruit will be able to follow them.
"in the absence of a procedure that's been broken, means that they don't have any ability to discipline the individuals responsible."
Last time I looked, gross misconduct and/or gross negligence are reasons for disciplinary action, up to and including immediate dismissal. They have the ability to discipline the individuals responsible: the real question is whether they have the will to identify them ...
This ----> "Meanwhile, it's the council tax payers who'll eventually foot the bill."
The council may even put next years council tax up by a few pennies to take the fine into account.
It's about time the actual persons guilty of such data breaches were also penalised by the ICO. It would probably make people a little more aware of their responsibilities if they knew they could get fined after a blatant cock-up.
"Or it could have employed people who had a modicum of common sense."
...and followed by lots of comments about written procedures etc, but I wonder how many people here have a filing cabinet and would think to or remember to, pull all the drawers out properly and check down inside in case any documents have fell through? The fact it's documents relating to only 7 people suggests this as the most likely scenario and, in hindsight, something that should have been checked but I'd be prepared to bet that even with a written procedure, the majority of people would think that opening the drawers and checking they were empty was ll that was needed.
Many filing cabinets don't make it easy to remove a drawer so you might have try to get your head in there somehow (health and safety issue??) or scrabble around blindly with your hand down behind the drawer.
"It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal."
They DO have written procedures to not release personal info. If the suggestion is that all the ways that personal info must NOT be released are listed, they're pretty much infinite:
Not in your head, Not in a folder, Not on a USB stick, Not on a floppy disk, Not in a filing cabinet, Not on an HDD ...
(To paraphrase Dr Seuss: I do not release personal info, I do not do it, Sam-I-am)
It happens to me - papers falling down the back of a desk drawer unit. You have to take all the drawers out to reach the stuff. That doesn't make it all right, you'd still have to look, but it's very understandable. Upvote.
On the other hand, the stuff may have been a few files in a drawer normally. Less excusable but still easily done.
I've just been reading 1970s sci-fi novel [Tomorrow Is Too Far] where a factory security manager gets a clue - not the first as it turns out - to Something Going On, when an empty storeroom, never used - is the site of a small fire, destroying a small quantity of mysterious documents. My point is that you can be equally confident that your old drawers don't contain leftover documents, but you do still have to check at an appropriate last opportunity, just as I check my trouser pockets as they go into the washing machine, for overlooked love letter !s from a secret admirer, or non-washable banknotes, or really anything. The first two are almost never found, but it's still better to check, than to be sorry later.
An interesting question is whether the cabinet was never emptied, or was it just that it was mostly (but not very-carefully) emptied by the council staff, who perhaps (e.g.) missed a few documents that had slipped down the back of the drawers? In the latter case, the sort of quick inspection a charity shop, or a customer therein might give it could easily miss them (and, apparently, did).
While I fully support fining for this type of security breach, it must be said that it is the people of Norfolk that will actually be paying the fine, not the idiots that were responsible for this.
When government bodies do this type of thing fining doesn't really achieve anything as it's not the organisations money and they don't care; there needs to be some kind of punishment to make sure more care is taken in future, something along the lines that the person responsible looses their job for instance. Or am I just being silly?
The problem with holding individuals responsible is they will want more money to reflect that degree of responsibility and it will only end in the fiasco of buck-passing anyway.
If anyone ever is held as responsible as people might like, there will be no one willing to take on those job lest some underling fucks up and they have to carry the can. But it's probably going to be an underling who carries the can while the exec really responsible walks away without punishment courtesy of lawyering-up.
While saying individuals should be held to account, punished for mistakes, it's very hard to achieve that in practice.
"something along the lines that the person responsible looses their job for instance."
If it was traceable to an individual, then they will likely have embarked on a trip down the disciplinary procedures. If someone higher up was responsible for putting a procedure in place and they'd not done it, they the same may apply to them.
I've not personally had dealings with ICO incidents, but a friend at a local council has been (as an observer, not a participant, natch!) and he said the report back to the ICO was supposed to include tracing and placing of "blame" where possible and measures/sanctions taken. This implies that the ICO want to see relevant individuals at whatever level taken to task.
"Steve Eckersley, ICO Head of Enforcement, said: “The council had disposed of some furniture as part of an office move but had failed to ensure that the cabinets were empty before disposal."
The council staff failed to check, the people removing them failed to check and the charity failed to check. All have to take some responsibility for this but the council has to take the lion share.
“For no good reason Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information. It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal.”
Regardless whether there is or isn't a written procedure for this, common sense should have kicked in at least.
""Steve Eckersley, ICO Head of Enforcement, said: “The council had disposed of some furniture as part of an office move but had failed to ensure that the cabinets were empty before disposal.""
Everywhere I've ever worked filing cabinets were like hens teeth. I'll bet the first thing the department did after their move was ...
Followed a few weeks months later by ... " has anyone seen the files on little Alice, Joan, Harry ....? (NB fictitious names.)
... are almost permanently featured somewhere in Private Eye. Child 'M', foster carer fiasco, Children's Services rated inadequate, winning the Eye's 'Whitewash Award for Local Government' in 2015, etc. They've a reputation of burying the truth and protecting NCC officials, so don't expect anyone to be named as responsible for this latest dropped bollock any time soon, if at all.
My ex worked (or works) at the local councils children's home as a social worker. It's the place where they put emergency kids, I forget the terminology. Some years back it transpired that her boss had completely bogus qualifications. He had also molested some young lad. He got the sack but no police were involved. He went on to molest other boys before having to leave the county for his own safety.
AFAIK he eventually got time for something or other and I hope that I never see him again.
Yes, but even more importantly: It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personnel were thoroughly checked before disposal.
Unimaginable had someone been fallen asleep in there...
This is one of the many reasons why I hate printers. And users.
I have worked in schools, several of the databases containing information about children make it clear the data comes under IL3 and should not be printed. If notes are taken, they should be transcribed and destroyed. This error by the council is pretty unforgivable.
So on the one hand the council is a bunch of incompetents who can't find posterior with both hands, and on the other hand they have the organisational capability to run a revenge campaign across at least three entirely separate departments, all without it getting leaked to the local paper?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
