Background

For those of you, who cannot leave your work at the office; beware of the dangers of remote access.

The Information Commissioner’s Office (ICO) has recently imposed a penalty of £100,000 against Aberdeen City Council as a result of a serious data breach. The breach resulted in sensitive material regarding social services and individuals being published on-line.

An employee of Aberdeen City Council accessed material and information from the Council’s system via their home computer. Unbeknown to the employee their home computer, which was second hand, had a file transfer system installed which allowed documents to be automatically uploaded to a website. This resulted in information relating to the care of vulnerable children being uploaded.

The information was online for a period of 3 months before another local authority employee noticed the material and informed the Council. Aberdeen City Council reported the breach to the ICO which sparked their investigation into the incident.

The ICO found that Aberdeen City Council did not have any relevant home working policy in place and did not have the appropriate measures to ensure that sensitive information or material could not be downloaded from the Council’s system

The Assistant Commissioner for Scotland at the ICO noted that –

“As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure.”

“In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information.” 

Following the ICO’s findings the Council is now in the process of improving their compliance with the Data Protection Act.

Comment

Compliance with the Data Protection Act is essential, especially when more and more employees are accessing systems remotely, on the move or at home. Organisations need to do more to ensure that employees working remotely are properly managing sensitive information.

Organisations should be aware of the risk that remote access can pose. The case of Aberdeen City Council demonstrates how seriously the ICO take breaches of the Data Protection Act. It is essential that organisations have Data Protection policies that are relevant in place. Employers should provide Data Protection training to employees to ensure that they are aware of the rules surrounding Data Protection in an attempt to avoid a breach.