The size of the fine hints at the anger within the Information Commissioner's Office (ICO), which had previously slapped an enforcement notice on the council in 2010 following the loss of unencrypted memory sticks.
“How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief,” said Ken Macdonald, the ICO assistant commissioner for Scotland. “The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.”
While the ICO had concerns over the sheer number of unencrypted laptops going missing at the council, it was further angered by the loss of two in May last year. In that case, one of the laptops contained personal data relating to more than 20,000 people, and bank details for more than 6,000.
According to the ICO, the laptops were given to two employees who needed to be able to work flexibly. One member of staff locked her laptop in her drawer, while putting the key in her colleague's desk drawer. Unfortunately, that colleague left work putting his own laptop alongside the key, but forgot to lock the drawer. Both laptops were stolen overnight.
The ICO reported that both employees had requested that their laptops be encrypted but the council had not done so.
“Glasgow City Council was issued with an enforcement notice back in 2010 after a similar incident where an unencrypted memory stick was lost. To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow,” railed Macdonald.
The ICO has not found any evidence that the bank accounts have been targeted following the losses.
Last year, the ICO fined Brighton and Sussex University Hospital £375,000 after a contractor stole hard drives from the NHS Trust, although the Trust appealed.