Glasgow City Council fined £150,000 after losing personal information for more than 20,000 people

The laptops had not been encrypted, to stop them being read by unauthorised users
  • @James_Legge

The Information Commissioner has fined Glasgow City Council £150,000 after the theft of two laptops, one of which contained personal information on more than 20,000 people.

A further 74 unencrypted laptops are also missing, of which six were definitely stolen.

The council - issued with an enforcement notice three years ago after an unencrypted memory stick containing personal data was lost - claims to have taken steps to ensure a similar breach does not happen again.

The latest breach of the Data Protection Act happened on 28 May last year, when the council offices were being refurbished. One laptop had been locked away in a drawer, but the key to the drawer was kept in a different, unlocked drawer, along with the second laptop.

One of them contained the authority's creditor payment history file, which held personal information on 20,143 people, and the bank account details of 6,069.

Employees had asked for them to be encrypted but this had not happened.

Ken Macdonald, the ICO's assistant commissioner for Scotland told the BBC: "How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief.

"The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people's details have been compromised.

Noting the previous enforcement notice, he went on: "To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow."

A Glasgow City Council spokesman said: "It is important to note that the number of unencrypted laptops was already coming down when this theft occurred.

"The council co-operated fully with the Information Commissioner's Office and wrote to everyone potentially affected to advise them of the data loss.

"The ICO acknowledges there is no evidence that any bank accounts have been targeted, that the council immediately informed it of the theft and that we carried out significant remedial action."