Aberdeen City Council (“ACC”) has been fined £100,000 by the Information Commissioner’s Office (the “ICO”) for failing to implement an adequate home working policy following one of its employees posting sensitive information online whilst working from home.
There has been a rash of fines for security breaches imposed on public sector data controllers. Datonomy was particularly interested in this fine because of the wider implications for the private sector. Home working, remote working and “bring your own device” security are currently in the regulatory spot light and in the notice announcing the fine, the ICO has reiterated the importance of organisations ensuring that personal data is fully secure when accessed remotely. It is time to revisit your BYOD and remote working policies and procedures if you haven’t already done so.
In November 2011, an ACC employee unintentionally uploaded 39 pages of highly personal and confidential information relating to her job (caring for vulnerable children), including sensitive personal data, to a website whilst working from home on her home computer. Once uploaded, the information was accessible to all internet users simply by inputting relevant search terms into a search engine. At the time, the ACC had no home working policy in place addressing data security.
The uploaded data was later discovered by a work colleague and reported to the ACC in February 2012. The ACC removed the source documents from the website and reported the data protection breach to the ICO shortly after.
Following an investigation, the ICO found that as the relevant data controller, the ACC had failed to take sufficient appropriate technical and organisational measures against unauthorised processing of personal data to prevent such unauthorised processing from occurring and had committed a breach of the seventh data protection principle. In particular, the ICO highlighted the lack of policy and technical procedures in place in relation to data security generally, and more specifically, home working. The ICO listed as examples, the following ways in which organisations might seek to ensure they comply with the seventh principle:
– introducing a secure home working policy;
– providing employees with the necessary equipment to ensure secure home working;
– providing employees with adequate training;
– management checks on the efficacy of the home working policy; and
– taking subsequent steps to ensure that the policy was sufficiently adhered to.
On 27 August 2013, the ICO served a monetary penalty notice against ACC for £100,000 to reflect the severity of the data protection contravention, and its view that in the circumstances the ACC ought to have known there was a risk of a contravention occurring and that any such contravention was likely to cause substantial damage and distress due to the confidential and sensitive nature of the information disclosed. The ICO reinstated the importance of organisations and employers taking adequate measures to ensure that all personal data accessed by home workers is kept safe and secure at all times.