It would have been easy to miss this piece of bad news buried in the tin-foil of a few million Easter eggs:
Memory sticks and CDs containing the personal details of 9,000 school children have been stolen from a house in north London…The computer equipment was encrypted – in line with council policies to avoid access to confidential information – but this was not the case with the CDs or memory sticks.
Apparently the member of staff responsible has been suspended and, according to Techwatch:
Barnet council has taken action to tighten up its security, by disabling USB ports and any access to external storage devices so such unauthorised file copying won’t be able to happen in the future.
The council has also ordered that all computers leaving the office will have to have their data encrypted from now on, and it’s launching an independent review into the whole issue of how its data is managed.
Perhaps Barnet hasn’t read the Data Handling Guidelines, created especially for them and all other councils 18 months ago. Had they done so, they perhaps might have considered reviewing their practices rather earlier and following the example of councils that have made it impossible to copy data on to removable media without prior consent.
‘It is critical that systems are designed in a way that as far possible prevents security breaches, such as preventing sensitive data being copied onto unencrypted laptops, USB disks and other mobile media; and limiting very strongly the amount of sensitive data that can be copied around a system – eg it might be reasonable for a social worker to take home the records of 10 individuals on an encrypted laptop. It is a disaster waiting to happen for a director of children’s services to take home information on hundreds or thousands of individuals, regardless of laptop encryption or any information security training they have received.’
Nobody should be able to take the details of 9,000 children home with them in the first place.