Glasgow City Council

Breach details

What Two unencrypted laptops containing substantial amounts of personal data were stolen from offices undergoing refurbishment.
How much An unknown number of records.
When Unknown
Why An earlier enforcement notice was issued in 2010. Since then, previous thefts had occurred from the Council’s offices and physical security had not been improved. In addition, unencrypted laptops were still being issued and over 70 unencrypted laptops were unaccounted for.

BW Comments

A Monetary Penalty Notice was issued to Glasgow in respect of this breach but the quality of IT asset management at the Council was obviously so poor that the ICO felt it needed to issue an enforcement notice as well.

Regulatory action

Regulator ICO
Action Enforcement Notice
When 04 June 2013
Details Enforcement Notice issued to ensure that asset management is improved. A full audit of existing IT assets relating to personal information must be undertaken by 30 June 2013, along with asset management training for managers and reissuing information security guidelines to staff. A new asset register must be completed by 31 July 2013 and updated on a yearly basis.

BW Observations

Interestingly the enforcement notice didn’t re-enforce the 2010 instruction to encrypt laptops.