West Berkshire Council loses sensitive data of children and young people on memory stick Options

[Mark NWN]

NEWBURYTODAY.CO.UK can exclusively reveal that West Berkshire Council has been investigated by the Information Commissioners’ Office (ICO) for breaching the Data Protection Act by losing a memory stick containing sensitive information of children and young people.

The memory stick, which was unencrypted and not password protected, contained, among other things, information relating to the ethnicity and physical or mental health of the children.

In a statement released by the ICO today, an investigation found that unencrypted devices, in operation before the council introduced encrypted memory sticks in 2006, were still being used by members of staff.

Further enquiries revealed staff had not received appropriate training in data protection issues and monitoring of compliance with the council’s policies was found to be inadequate. This is the second data security incident reported by West Berkshire Council within six months.

It announced that Nick Carter, Chief Executive of West Berkshire Council, has signed a formal Undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted.

Sally-Anne Poole, Enforcement Group Manager at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.

"A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands. I am aware that staff have been provided with encrypted USB sticks since 2006 but older devices were not recalled. I am pleased that the council has now taken action to prevent against further data breaches.”

Council staff will also be made fully aware of the council’s policy for the storage of personal data and receive appropriate training on data protection and IT security issues.

Details as to where or how the information was lost is not yet known.

What do you think about this?
What do you think is the most concerning aspect of it?


Story here: http://www.newburytoday.co.uk/News/Article...articleID=13477

[Iommi]

To be fair, WBC have stumbled over a problem a lot of organisations face when dealing with data storage and transportation (including, in some cases, working from home). USB memory is so easy and convenient. Mind you, I'm surprised their network isn't locked down to prevent unauthorised access of USB devices and the like. At the end of the day, unless we know more about the nature of the data leak, it is difficult to comment further.

[Jayjay]

This is totally unacceptable. A lot of companies have in the past faced problems such as this when dealing with mobile data. This makes the story even more shocking as the risks and solutions have been known for a long time, did it not occur to anybody, when it was all over the media, to put some form of training for staff in place?

Many years ago, way before mobile data existed, I worked in Children's Services, not Newbury. Even then data was protected in a clear desk policy each lunchtime and evening. If you were away from your desk for a few minutes, folders had to be closed.

Just hope this has been misplaced and has not got into the wrong hands.

[Iommi]

Staff training only has so much effect, at the end of the day, the network has to be organised to prevent 'accidents'.

[On the edge]

This is very serious indeed. Its in the same category as a shopkeeper selling restricted goods to those under aged, or a confused car driver entering Market Place. If the Council staff 'don't know the rules' how on earth do they expect anyone else to observe them? Frankly, there should be a heavy fine and the culprets named and shamed. Whats sauce for the goose!

[Guest_NWNREADER_*]

This is very serious indeed. Its in the same category as a shopkeeper selling restricted goods to those under aged, or a confused car driver entering Market Place. If the Council staff 'don't know the rules' how on earth do they expect anyone else to observe them? Frankly, there should be a heavy fine and the culprets named and shamed. Whats sauce for the goose!

I suspect the truth is the staff do know the rules, but individuals don't observe them and the line management is focused more on delivering targets than checking what staff are plugging in to their terminals. The data doubtless needs to be taken out of the WBC environs for good reason, but with the conflicting pressures of producing results and doing it by the book, 'the book' tends to lose.
WBC is not alone in this. Public bodies that lose info are just far more newsworthy. No let-off for them, and they are in deep doo-doos, but the process can be written as well as anyone could want: if the internal checks and enforcement (and resource provision) is not right these things will happen again.

[Strafin]

They should all have their cars smashed up. According to the that is a reasonable punishment!

[Iommi]

This is very serious indeed. Its in the same category as a shopkeeper selling restricted goods to those under aged, or a confused car driver entering Market Place. If the Council staff 'don't know the rules' how on earth do they expect anyone else to observe them? Frankly, there should be a heavy fine and the culprets named and shamed. Whats sauce for the goose!

The ultimate cost of any punitive reaction, is an extra cost to the tax payer. In the end, when the Government, including the MoD can't be trusted with data, what chance has other organisations? I do think though, that data misuse like this should be a sackable offence, but the system should prevent it being possible.

[On the edge]

The ultimate cost of any punitive reaction, is an extra cost to the tax payer. In the end, when the Government, including the MoD can't be trusted with data, what chance has other organisations? I do think though, that data misuse like this should be a sackable offence, but the system should prevent it being possible.

The reason for my reaction and total lack of sympathy is down to the actions of the self same sanctimonious little officials we have trying to justify fitting up shop counter hands selling fags to youngsters very few would be able to see were too young. Or indeed think up unreasonable methods to enforce minor driving infringements. And yes, I do have knowledge of someone who lost her job as a result of this type of entrapment.

Equally, these officials are well paid, apparently well read and educated. The Council's own rules were quite clear and issues with data loss by public servants very well publicised. This should be a personal fine and not one on the public exchequer. Three weeks ago I got a ticket because I forgot to phone Paygo when I jumped on the train to work. I paid the fine I wouldn’t expect my employer to pick it up!

As for changing the IT systems to prevent misuse - that costs money; normally rather a lot. Why should we have to pay simply because our Council's staff are apparently unable to keep a few simple rules?

[Iommi]

As for changing the IT systems to prevent misuse - that costs money; normally rather a lot. Why should we have to pay simply because our Council's staff are apparently unable to keep a few simple rules?

To me that isn't the point. If there has been a data leak, it is ultimately people like us that are potentially compromised. Systems should be in place to prevent accident, OR deliberate data loss or theft. You see, this might be deliberate. So if someone did this deliberately, staff training is of no use what so ever. You are left with the need to harden systems to reduce the likelihood of data theft.

Mind you, nothing is 100% safe.

I agree though, this should be a job threatening action.

[Exhausted]

I agree though, this should be a job threatening action.

The buck normally stops at the top. I find it strange that the Chief Exec, Mr Carter, is only now after two incidents, being asked to sign a formal undertaking that personal data held by WBC is encrypted. Part of running a business as data sensitive as a council should have already had safeguards introduced when loss of data became a national issue.

[Darren]

Holding data as encrypted is the easy bit. Keeping it encrypted is the hard part.

[Jayjay]

The buck normally stops at the top. I find it strange that the Chief Exec, Mr Carter, is only now after two incidents, being asked to sign a formal undertaking that personal data held by WBC is encrypted. Part of running a business as data sensitive as a council should have already had safeguards introduced when loss of data became a national issue.

Abusing the Data Protection Act normally has a high financial penalty to it - in the private sector that is. It hurts the individual or share holder. Why should Mr Carter care when it wont hurt his pocket, if a fine is applied it is just us old mugs who pay it.

[Exhausted]

Holding data as encrypted is the easy bit. Keeping it encrypted is the hard part.

There are many ways of encrypting data in a secure way including rolling codes. Keeping it encrypted is part of the deal and is not dificult. There are costs involved but they are not onerous and I am sure that the WBC IT department should be able to resolve this. If they can't why are we paying them.

[Bloggo]

I suspect the truth is the staff do know the rules, but individuals don't observe them and the line management is focused more on delivering targets than checking what staff are plugging in to their terminals. The data doubtless needs to be taken out of the WBC environs for good reason, but with the conflicting pressures of producing results and doing it by the book, 'the book' tends to lose.
WBC is not alone in this. Public bodies that lose info are just far more newsworthy. No let-off for them, and they are in deep doo-doos, but the process can be written as well as anyone could want: if the internal checks and enforcement (and resource provision) is not right these things will happen again.

I suspect you are spot on with your obseravation.
I suspect there is a great deal of "image" management going on at WBC rather than real supervisory work which takes time and effort to ensure staff are working to procedures.

[Hugh Saskin]

I suspect you are spot on with your obseravation.
I suspect there is a great deal of "image" management going on at WBC rather than real supervisory work which takes time and effort to ensure staff are working to procedures.

Then I suspect you know more about this than just what we've seen on here - what more can you tell us, please?

[Darren]

There are many ways of encrypting data in a secure way including rolling codes. Keeping it encrypted is part of the deal and is not dificult. There are costs involved but they are not onerous and I am sure that the WBC IT department should be able to resolve this. If they can't why are we paying them.

It still has to be decrypted to be read, unless you are code breaker. There lies the weak point. Screen shots, copy/paste and old-fashioned printing and hand copied notes make encryption worthless.

[Bloggo]

Then I suspect you know more about this than just what we've seen on here - what more can you tell us, please?

I wonder if the majority of WBC staff have had any formal training on how to encrypt data.
They may have been instructed on it's necessity but I suspect that there are a lot who have tried it and failed only to find that there is no one to go to in their office who can instruct them.
Centralised and remote I.T. support does not help individuals with these sort of problems. The temptation is to not bother if you can't do it.
Does Bill1 have a view on this??

[Andy1]

I wonder if the majority of WBC staff have had any formal training on how to encrypt data.
They may have been instructed on it's necessity but I suspect that there are a lot who have tried it and failed only to find that there is no one to go to in their office who can instruct them.
Centralised and remote I.T. support does not help individuals with these sort of problems. The temptation is to not bother if you can't do it.
Does Bill1 have a view on this??

With Fixed and Mobile Broadband and secure VPN's (Virtual Private Networks) there is no reason why data need be carried round on a memory stick.

[Bloggo]

With Fixed and Mobile Broadband and secure VPN's (Virtual Private Networks) there is no reason why data need be carried round on a memory stick.

You're quite right and although well accepted in the private sector I suspect that establishing a secure network across all of WBC and those that work from home would be a huge but necessary task.
Each "home" workstation would need to be audited an ungraded to satisfy the technical requirement. But I guess a lot of this work will already have been done to satisfy the H&S workstation assessment.