Aberdeen City Council fined £100,000 following employee data breach

The Information Commissioner's Office (ICO) has issued a 100,000 fine to Aberdeen City Council after it was discovered that an employee had posted confidential information relating to the care of vulnerable children online.

The employee in question accessed council documents related to care, including detailed reports and meeting minutes, from her home PC. On accessing the information, it was then automatically uploaded to a website by a file transfer programme installed on her computer. This exposed information about a number of vulnerable children and their relatives, as well as details regarding alleged criminal offences.

As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure.

These sensitive files were uploaded between 8 and 14 November 2011 and remained online until 15 February 2012 when they were spotted by another staff member.

Once the council had been alerted, the data was removed and the incident reported to the ICO. Following an ICO investigation, it was discovered the council was unable to restrict the downloading of such sensitive material from employees outside of the office. Furthermore, it did not have a relevant home working policy to prevent this and other issues from arising.

"As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure," said Ken Macdonald, Assistant Commissioner for Scotland at the ICO.

"In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council's existing data protection guidance was being followed. The result was a serious data breach that left the sensitive information of a vulnerable young child freely available online for three months."

Aberdeen City Council will work with the ICO and agree on how it can ensure compliance with the Data Protection Act going forward.

"We would urge all social work departments to sit up and take notice of this case by taking the time to check their home working setup is up to scratch," Macdonald concluded.

Last month, the ICO issued a 200,000 fine to now-defunct NHS Surrey after almost 3,000 patient records were discovered on a machine bought online.

Maggie has been a journalist since 1999, starting her career as an editorial assistant on then-weekly magazine Computing, before working her way up to senior reporter level. In 2006, just weeks before ITPro was launched, Maggie joined Dennis Publishing as a reporter. Having worked her way up to editor of ITPro, she was appointed group editor of CloudPro and ITPro in April 2012. She became the editorial director and took responsibility for ChannelPro, in 2016.

Her areas of particular interest, aside from cloud, include management and C-level issues, the business value of technology, green and environmental issues and careers to name but a few.