The incident occurred in November 2011 when a member of staff accessed a batch of documents on their home computer from the council's network. These documents were then automatically uploaded to the web by a program installed on the machine.
The information was subsequently found in February 2012 by a council member who was mentioned in one of the documents that had been uploaded. They informed the council and the data was removed and the ICO informed.
The member of staff responsible told the ICO the software that uploaded the data must have been installed by the previous owner of the computer as she was not aware of what had happened.
“The employee told the data controller that the computer is second hand and that it must have been installed by a previous owner,” the report by the ICO reads.
The report also noted that the council had no relevant home-working policy and no sufficient measures in place to restrict the access of sensitive information from the council’s network.
Ken Macdonald, assistant commissioner for Scotland at the ICO, said the incident should make all social work departments in councils "sit up and take notice" of the issues raised around home working and data protection.
“As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure,” he said.
“In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information.”
Aberdeen City Council said it takes data protection extremely seriously, which is why it reported the matter to the ICO itself when it came to light, and claimed it was making improvements on its policies. The council made no direct comment on the fine.
"A data protection audit report on the City Council by the ICO this summer found that a comprehensive suite of up-to-date data policies are in place, strong arrangements are in place concerning a wide range of routine data-sharing, and the content of data protection and information security training material used by Aberdeen City Council is detailed and thorough."
The fine is the latest of many to be imposed by the ICO against councils for poor data-handling procedures, with Islington Council fined £70,000 for an issue relating to Excel that caused 2,000 residents' details to be leaked online.
No comments:
Post a Comment