by Josh Arrington
The UK Information Commissioner’s Office has today issued two local government councils with fines for breaches of the Data Protection Act. The two bodies were fined £80k / $128k and £70k / $113k respectively after two unencrypted laptops, containing the details of around 1,700 individuals, were stolen from the home of an employee working on the joint out of hours service for both councils.
What’s particularly interesting in this case is that one of the council’s actually had a policy in place requiring all data to be encrypted – something which they’d evidently failed to roll out organisation-wide.
Given both councils chose to ignore the warning signs, it’s quite clear that more needs to be done to ensure that organisations take data protection more seriously. As we’ve seen in the US with Senate Bill 1386, fines certainly act as a wake-up call to those involved, but education is absolutely essential if staff are to understand the pitfalls that can ensue from poor data protection policies.
With four fines already under its belt, the UK ICO seems set to make its point – issuing a warning only last week to local councils threatening prosecution for failure to implement proper data control procedures. Unfortunately we’re still seeing the fallout from organisations that are simply not succeeding in protecting valuable data, so it remains to be seen whether such warnings will be taken seriously. If not, and lessons are to be learned the hard way, at least we can be sure the powers that be will not be turning a blind eye.