Aberdeen City Council has been fined £100,000 by the Information Commissioner’s Office (ICO) over its failure to implement a home working policy, after an employee posted sensitive information online.
Information relating to the care of vulnerable children was accidentally published on a wesbite after a staff member accessed documents on their home computer, including meeting minutes and detailed reports. The ICO said that documents were accessed either through the council's Groupwise email account, or via a USB stick.
After the files were downloaded, an unnamed file transfer program installed on a laptop was responsible for auto-uploading the documents to a website, publishing sensitive information concerning a number of vulnerable children and their families.
According to the ICO penalty notice, the employee had claimed that the file transfer program had unknowingly been installed by the previous owner of her second hand computer.
Files were uploaded between 8 and 14 November 2011, and remained online until 15 February 2012, when they were found by another staff member who had entered their own name and job title into a search engine.
Following an investigation by the ICO, it was found that the council's home working policy for staff was "impractical and ambiguous" and not enough had been done to restrict the downloading of sensitive information from the council’s network.
The ICO said that Aberdeen City Council will now be fined £100,000, though this sum will be reduced to £80,000 if a payment deadline is met.
“As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure,” said Ken Macdonald, assistant commissioner for Scotland at the ICO.
“In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council’s existing data protection guidance was being followed. The result was a serious data breach that left the sensitive information of a vulnerable young child freely available online for three months.
He concluded: “We would urge all social work departments to sit up and take notice of this case by taking the time to check their home working setup is up to scratch.”