ICO fines Glasgow City Council for loss of unencrypted laptops

Glasgow City Council has been fined £150,000 for losing two laptops which held personal details of more than 20,000 people

Glasgow City Council has been fined £150,000 for losing two laptops which held personal details of more than 20,000 people.

The Information Commissioner’s Office (ICO) fined the council over the loss of two laptops, but also discovered during the investigation another 74 unencrypted laptops have gone missing.

The two laptops were stolen from council offices in May of last year as they were not locked away securely at the end of the working day.

One of the stolen laptops contained information on 20,142 individuals, including bank details of 6,069 people.

Glasgow City Council had already been issued an enforcement notice for breaching the Data Protection Act after an unencrypted memory stick with personal data was lost three years ago.

The investigation found out that the council had issued its staff with unencrypted laptops after having problems with the encryption software. According to the ICO most of these devices were later encrypted, however it found a further 74 unencrypted laptops missing, with at least six known to be stolen.

Ken Macdonald, the ICO’s Assistant Commissioner for Scotland, said: “How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief. The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.”


Read more on IT for government and public sector

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

It must be time for all public sector bodies to face up to the fact of the ICO's willingness to issue heavy penalties for negligence? If organisations are to avoid facing fines at a time when they can ill afford financial wastage, important steps must be taken to improve IT procurement and disposal processes.

Investing in IT hardware with comprehensive encryption is key: organisations must approach hardware manufacturers with demonstrable experience in this area, and those which offer encrypted laptops which meet a variety of security
benchmarks, such as CESG approval.

Windows 8 Professional is another great example, now featuring Windows BitLocker as standard for no extra cost, as long as public sector customers procure notebooks and tablets that have Trusted Platform Module (TPM) modules, then they can be encrypted up to IL3 Level Security. This will be more than adequate for the vast majority of local authorities and indeed wider public sector workers.

If public sector bodies adapt a best practice approach to data security upfront then the wrath of ICO fines can be kept at bay.

Simon Harbridge, CEO, Stone Group