Global menu

Our global pages

Close

TMT Legal Update: ICO fines Glasgow City Council £150,000 over theft of unencrypted laptops

    • Technology, Media and Telecoms - Technology

    04-07-2013

    Précis – The Information Commissioner’s Office (“ICO”) has issued a monetary penalty of £150,000 against Glasgow City Council after two of its laptops were stolen during refurbishment works at its offices.

    What? On 28 May 2012, two unencrypted laptop computers were stolen from the offices of Glasgow City Council (the “Council”) during refurbishment works. At the time they were stolen the first laptop was locked in a storage drawer with the key placed inside. The second laptop was placed alongside the key in another drawer but the user had forgotten to lock the drawer.

    In finding that the Council had seriously breached its obligation to take appropriate technical measures against the loss of personal data, the ICO considered the following aggravating factors:

    • one of the laptops contained the personal information of more than 20,143 individuals, including bank account details of 6,069 individuals;
    • the Council did not prevent its IT supplier from issuing unencrypted laptops despite having a policy intended to prevent this from happening. In this case, the laptops were unencrypted due to problems with the Council’s encryption software;
    • the Council had not encrypted the laptops despite requests from both employees;
    • 68 other unencrypted laptops are unaccounted for, with a further 6 known to have been stolen; and
    • this enforcement action follows a previous enforcement action by the ICO against the Council following the loss of unencrypted memory sticks in 2010.

    So what? This decision highlights the ICO’s increased willingness to issue monetary penalties to reinforce its message that portable devices containing personal data should be encrypted. This decision is notable as a significant penalty was issued despite no sensitive personal data being contained on the laptops. However, given that the Council had been the subject of an enforcement notice two years earlier for similarly losing unencrypted portable devices, the ICO has demonstrated that it will not tolerate recurring data protection breaches. Any business handling personal data can take away some key lessons from this recent decision:

    • ensure that all portable devices are encrypted;
    • keep all portable devices securely stored when not in use;
    • maintain an asset register detailing who is responsible for each portable device and identifying where such devices are located; and
    • it is not enough to have compliant policies in place - you must follow them!

    For more information contact

    < Go back

    Print Friendly and PDF
    Subscribe to e-briefings