Breach details
| What | Two unencrypted laptops containing substantial amounts of personal data were stolen from offices undergoing refurbishment. |
| How much | An unknown number of records. |
| When | Unknown |
| Why | An earlier enforcement notice was issued in 2010. Since then, previous thefts had occurred from the Council’s offices and physical security had not been improved. In addition, unencrypted laptops were still being issued and over 70 unencrypted laptops were unaccounted for. |
BW Comments
| A Monetary Penalty Notice was issued to Glasgow in respect of this breach but the quality of IT asset management at the Council was obviously so poor that the ICO felt it needed to issue an enforcement notice as well. |
Regulatory action
| Regulator | ICO | Action | Enforcement Notice |
| When | 04 June 2013 |
| Details | Enforcement Notice issued to ensure that asset management is improved. A full audit of existing IT assets relating to personal information must be undertaken by 30 June 2013, along with asset management training for managers and reissuing information security guidelines to staff. A new asset register must be completed by 31 July 2013 and updated on a yearly basis. |
BW Observations
| Interestingly the enforcement notice didn’t re-enforce the 2010 instruction to encrypt laptops. |
Links
| View PDF of the Glasgow City Council Enforcement Notice (Breach Watch Archive) |
| View PDF of the Glasgow City Council Enforcement Notice (Via ICO Website) |