Scotland’s largest local authority faces has been fined £150,000 after two unencrypted laptops containing thousands of citizens' personal information were stolen.
An investigation by the Information Commissioner’s Office (ICO) found that laptops were stolen from unlocked storage lockers in Glasgow City Council’s offices on the 28 May last year, during refurbishments.
One of the laptops contained the personal information of over 20,000 people, including 6,096 people’s bank account details.
The ICO's investigation discovered that a further 74 unencrypted laptops belonging to the council remain unaccounted for. At least six of these known to have been stolen, the data protection watchdog said.
“How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief,” said Ken Macdonald, the ICO’s assistant commissioner for Scotland.
“The fact that these laptops have never been recovered and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.”
This is not the first time Glasgow City Council has been slammed for data protection breaches. In 2009, a memory stick was lost containing sensitive data including the details of sex offenders, their victims and witnesses.
The ICO says it had warned Glasgow City Council to encrypt mobile devices in 2010, and again in 2012, and that the latest breach of policy shows what the ICO called "fragrant disregard for the law and the people of Glasgow." Most devices were encrypted but the unencrypted laptops were issued to staff due to software problems.
As part of the report, the council was criticised for failing to ensure that IT suppliers issue encrypted laptops.
“This data loss should not have happened and we took immediate steps to ensure it does not happen again,” said a spokesperson for Glasgow City Council in a statement.
“It is important to note that the number of unencrypted laptops was already coming down when this theft occurred.”
The council said it is co-operating fully with the ICO and has informed those potentially affected of the incident. Iit is taking “significant remedial action” but declined to offer any further details. An enforcement notice has been served requiring the council to carry out a programme of retraining for managers and full of audit of its IT equipment.
Serco, which delivers IT services for Glasgow City Council, told Information Age it is working closely with the council but had nothing further to add.