Record fine for Glasgow Council following ‘flagrant disregard’ for data protection


   By a Newsnet reporter

Labour run Glasgow City Council has been hit with a record fine of £150,000 by the Information Commissioner’s Office (ICO), following the loss of two council laptops containing the personal details of over 20,000 council tax payers in the city.

In a strongly worded statement, the ICO said that the Council had been guilty of a “flagrant disregard for the law and the people of Glasgow”.

The thefts of the laptops occurred after the Council had been served with an enforcement notice by the ICO demanding that the council tighten up security in its offices following an earlier theft of unencrypted computing equipment.  In that incident, which occurred two years previously, an unencrypted memory stick containing personal information had been lost.

Despite the enforcement notice, the Council took no steps to tighten up security, and a further series of thefts of computing equipment took place.

Both laptops were stolen from locked office drawers on council premises, but neither had been encrypted as the Council claimed there were “problems with the data controller’s encryption software”.

The ICO slammed the Council for being aware of this technical problem, but nevertheless it still issued unencrypted laptops to Council employees – in breach of the Council’s own guidelines. 

Following an investigation after the theft of the laptops, it transpired that dozens of other unencrypted laptops had been issued to Council employees.  A least six of these laptops have also been stolen, and in total 74 laptops are unaccounted for.

ICO assistant commissioner for Scotland, Ken MacDonald, said: 

“How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief.

“The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.”

He added: “To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that.”

In a statement, Glasgow City Council said:

“This data loss should not have happened and we took immediate steps to ensure it does not happen again. It is important to note that the number of unencrypted laptops was already coming down when this theft occurred.

“The council co-operated fully with the Information Commissioner’s Office and wrote to everyone potentially affected to advise them of the data loss.

“The ICO acknowledges there is no evidence that any bank accounts have been targeted, that the council immediately informed it of the theft and that we carried out significant remedial action.”