Lost USB stick costs police £120,000
By Nicole Kobie
Posted on 16 Oct 2012 at 09:59
Greater Manchester Police has been fined £120,000 for losing a USB stick containing data on more than a thousand people - despite a previous incident leading to an "amnesty" on unencrypted memory sticks.
The Information Commissioner's Office fined the police force £150,000 - but offered a £30,000 discount for early payment - after an unencrypted memory stick holding data relating to an investigation was stolen from an officer's home in July 2011.
The device held personal data on 1,075 individuals with "links to serious crime investigations". While the ICO admits not all of the data was sensitive, the ICO redacted even the description of the sensitive aspects in its own notification document.
The officer in question - who worked mainly in the drugs squad of the Serious Crime Division - was given an encrypted memory stick by the force in 2003, which he used to back up his files and carry key documents with him when out of the office. However, the officer replaced the USB stick himself for a larger capacity one - but without encryption.
The incident follows a similar data breach in 2010. After that, the force banned unencrypted memory sticks, holding an "amnesty" leading to 1,100 devices being turned in. However, the officer who was burgled was on leave during the amnesty, so continued using his unencrypted device.
"This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine," said David Smith, the ICO's director of data protection. "It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action."
Greater Manchester Police has now installed security software blocking data from being transferred to "unauthorised" USB devices, the ICO noted.
The ICO has been criticised for issuing heavy fines - so far, almost all to public sector bodies - when budgets are already being cut.
Earlier this month, the head of an NHS patient information group suggested the fines hitting the health service were already hurting patient care. This time, the ICO pointed out that it doesn't keep the fine, but hands it over to the Treasury.
While a single stolen memory stick with a limited amount of sensitive data may seem hardly worth a six-figure fine, the ICO noted that the officer wasn't the only one ignoring data rules. "At the time of the security breach, a significant number of officers across the Force were routinely using such devices although the Commissioner accepts that they were not necessarily storing sensitive personal data," the ICO said.
In the official notice, the ICO defends its decision to levy a fine, saying the incident was "likely to cause substantial damage and/or substantial distress" - but admitted there was no proof the data had been used. The USB stick has still not been recovered.
"This is a substantial monetary penalty, reflecting the significant failings the force demonstrated," Smith added. "We hope it will discourage others from making the same data protection mistakes."
So the ICO fine is handed to the Treasury, which in turn funds the Police...So the money returns to sender in the end, via a circular route....nothing to see here...move along!
By Jaberwocky on 16 Oct 2012
Make it a sackable offence,,,
and then see how many employees will carry unencrypted usb sticks. Still harder to beleive our government depts still need USB sticks to handles data! Just ban them.
By drummerbod on 16 Oct 2012
@drummerbod, if it's a choice of using a USB stick or sending it home via e-mail (sitting on some unspecified ISP's mail servers), the USB sticks will win.
It wasn't being used round the offices.
By johnfair4 on 16 Oct 2012
Put the data centrally whereby only VPN access or web access via citrix. Email - why on earth would you think of email?
By drummerbod on 16 Oct 2012
Fines are useless against public bodies
Financial penalties are only effective when applied to entities for whom making money is the goal; a public body has other concerns, so as drummerbod suggests, make it a sackable offence - at senior level and all the way down the chain of command so that the responsibility is felt throughout the organisation.
By SwissMac on 16 Oct 2012
Repeat Offence by ICO?
Jaberwocky has the basis of most of my former comments about the ICO failures.
AGAIN : The police receive their income from the taxpayer and especially the Council Tax Payer. Having had their data lost by a PUBLIC BODY (The police in this case), they will effectively need to pay this "fine".
That is adding injury to insult, whereas a job loss AT THE TOP would affect the persons who committed the offence.
By lenmontieth on 16 Oct 2012
which in turn funds the Police...
Well we technically fund the Treasury and the police (apart from the QE money they create out of thin air).
By Alfresco on 17 Oct 2012
So the officer was burgled and then listed the USB stick as stolen property.
Who would ever do that?
99.9999etc.% of people would just keep quiet about it, especially if they knew what was on it! Very odd.
By peterj6 on 18 Oct 2012
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- The ICO's shame-faced u-turn on cookies
- Start8 and ModernMix: making Windows 8 work on a desktop
- How to boost your mobile reception
- How to fix Facebook: Social Fixer
- Taking the stress out of WordPress updates
- Where to download free web fonts
- Turn your tablet into a Sky+ remote control
- How to measure the success of a new IT system
- Three years on: the state of the tablet market
- Windows 8: what works and what doesn't