The ITAM Review has learned of yet more disquiet in the public sector data arena recently with two London councils being severely rapped for breaches of the Data Protection Act, after the loss of two unencrypted laptops containing sensitive personal information.
While information security is perhaps not the core remit of the IT Asset Manager, the corralling and control of data in its multifarious forms at a higher level does of course represent a key consideration for ITAM professionals who want to maintain a clear and accurate view over their total stack of resources.
In what might possibly be labeled as another case of Public Sector Unencrypted Laptop Syndrome (or PSULS with a “pneumatic” style P for short), the Information Commissioner’s Office (ICO) last month served both Ealing and Hounslow Council with monetary penalties.
According to the ICO, two laptops containing the details of around 1,700 individuals were stolen from an employee’s home. Both laptops were password protected but unencrypted — despite this being in breach of both councils’ policies.
There is no evidence to suggest that the data held on the computers has been accessed and no complaints from clients have been received by the data controllers to date but there was nevertheless a significant risk to the clients’ privacy.
“Where personal information is involved, password protection for portable devices is simply not enough. The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected,” said deputy commissioner at the ICO David Smith.
“Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way.”
ITAM Editorial Comment: Perhaps the most important lesson that we still need to learn from this apparently far-too-often-repeated scenario relates to workflow. Whether it is a question of two-factor authentication technology or quite simply a stipulation that a ‘second person’ engages in (and therefore double checks) the workflow process to protect and encrypt data assets — these layers must now exist as a mandatory requirement. This truism of course holds for both the public and private sector; quite why the public sectors appears to be so susceptible to gaffs of this kind is hard to say.