Lost-Laptop Council Breached Data Rules

Stolen laptops had unencrypted personal data – and Manchester City Council’s response may not be enough

Manchester City Council has been found in breach of the Data Protection Act after two unencrypted laptops were stolen from the town hall one of which contained details of 1,754 employees,

In a statement issued this week, the Information Commissioner’s Office (ICO) released details of the incident which has resulted in the council signing a formal declaration to improve how it secures physical hardware as well as the information residing on such devices.

According to Sally-anne Poole, head of enforcement & investigations at the ICO, one of the stolen laptops contained personal details on members of staff in local schools from the Manchester area. “We urge all councils and their executive teams to take responsibility for treating data protection as a corporate governance issue affecting the entire organisation. They have to make sure that safeguarding the personal information of their staff is embedded in their organisational culture,” she said.

Poole added that the Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. “Manchester City Council recognises the seriousness of this data loss and has agreed to take immediate action. It has also agreed to implement an improved training programme, including regular refresher training for all staff,” she said.

But in a move that is supposedly meant to satisfy the ICO, but could appear to some security experts as a half-measure, the council has also claimed that it won’t ban downloads of information to mobile devices but rather ensure that only “essential personal information will be downloaded onto mobile devices in the future”.

Tools such as desktop and application virtualisation – provided by companies such as Citrix – are seen as one way to combat the problem of data loss by avoiding data from having to be downloaded locally onto mobile devices that could be lost or stolen. Rather, staff work on virtual desktops hosted on a central server or in the cloud which reduces the need to download data locally.

A spokesperson for the ICO said that it advocates that companies use the best technology possible to protect data but doesn’t stipulate what that should be. In the case of Machester City Council, the spokesperson said that the organisation would be expected to put in place measures to prevent staff from simply deciding the data they wanted to download was “essential” and would instead have to have that decision signed-off by upper management in accordance with approaches stipulated by the Data Protection Act. “Staff would not simply be able to decide the data they needed was ‘essential’ and put it on data stick without asking anyone else,” the spokesperson added.