The UK’s Information Commissioner’s Office (ICO) has fined a local authority in Scotland £100,000 after an employee posted confidential about vulnerable children online.
Aberdeen City Council was found to have breached data after a council employee accessed documents, including meeting minutes and detailed reports, from a home computer.
A file transfer programme installed in the machine automatically uploaded the documents to a website, publishing information about vulnerable children, their families and details of alleged criminal offences.
The files were in the public domain until February 2012 when a colleague spotted them after carrying out an online search linked to their own name and job title.
The ICO’s investigation found that the council had no relevant home working policy in place for staff and did not have sufficient measures in place to restrict the downloading of sensitive information from the council’s network.
ICO assistant commissioner for Scotland Ken Macdonald said: "As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure.
"In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information.
"On a wider level, the council also had no checks in place to see whether the council’s existing data protection guidance was being followed."
Richard Anstey, CTO EMEA at Intralinks, said companies need to strike a balance between usability and control to minimise the risk of sensitive information leaking.
"Too many councils are getting fined and we are seeing this way too often – clearly lessons aren’t being learned. Organisations should consider secure enterprise collaboration services which can maintain a higher level of document security and allowing full and auditable proof of receipt," he said.
"All files are opened within the software instead of a straight download to the device hard drive – all in the original host programme. The administrator knows who is sharing what, who is opening which file and can fully audit the lifecycle of the document. This helps organisations mitigate the risks presented by mobile working."
