SCOTLAND'S largest local authority is facing a six-figure fine, potential legal action and a loss of business after the theft of a laptop containing tens of thousands of names, addresses and bank details.
The Herald has learned Glasgow City Council had been warned repeatedly about the need for all its laptops to be encrypted for well over a year, yet the device stolen did not have the security in place.
As recently as last October, a report found 30% of council laptops, running into the hundreds, had yet to be encrypted. It is also believed an outside IT firm which repairs the city council's computer hardware recently alerted officers to unsecured laptops, specifically mentioning the stolen device.
In the latest incident, two unencrypted laptops were stolen from a city council office a fortnight ago, with one containing 38,000 names and addresses. It also contained the bank details of more than 10,000 businesses and 6000 individuals.
Many within the authority and Access, the public private partnership that runs the council's IT, are pointing to the theft of a laptop with an abnormally high amount of data as an indication of an inside job, although senior sources within the authority have moved to play down the theory.
All the businesses involved are city council suppliers and contractors, from major firms to self-employed tradesmen, while people who receive care grants and fuel allowances also had their details on the device.
In the past few days, city council staff who have had an equal pay settlement have received letters warning them their details were also on the laptop. Unison has said its lawyers have advised members they could have a legal claim against the city council if they can demonstrate financial loss from the theft.
Graeme Hendry, leader of the council's SNP group, said: "The more that emerges on this data theft the more serious questions emerge. The reputational damage to the council from the loss of business details, staff information and so many Glasgow citizens' personal information is huge. At this stage I believe it would be helpful for the council leader to issue an apology and update on the investigation."
The Information Commissioner's Office (ICO), which is the UK regulator for data protection, has begun issuing major fines and this week hit a Belfast health trust with a penalty of £225,000 for compromising sensitive data of patients, while Midlothian Council was fined £140,000 in January for disclosing data about children and their carers.
Glasgow was rebuked by the ICO in 2009, before it had the powers to fine, after the loss of a memory stick containing details of sex offenders, their victims and witnesses. This, along with any confirmed failure to act appropriately on previous security warnings, will be taken into account during the current investigation and decision on whatever any fine may be.
In official council papers dating back to February 2011, information security breaches and the need for encryption were identified as major risks.
The same risks were flagged up quarterly across the next year, with the October report stating that while "encryption activity" had started in some core departments, "30% of laptop assets still remain unencrypted".
The city council said it would publish its internal findings in due course.
Strathclyde Police said there had been no arrests for the theft and inquiries were ongoing.
Meanwhile, Dumfries and Galloway Council has launched a probe after confidential social work files were found in a car park. The incident, the third apparent data breach by the local authority since March 2011, has been reported to the Information Commissioner.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereComments are closed on this article