Worker's home PC uploaded child care data to the web, council claims
Aberdeen City Council fined £100,000 by ICO after employee's home PC automatically uploaded children's personal data onto the Internet
Aberdeen City Council has been fined £100,000 following a bizarre incident that led to a number of children's personal data being uploaded to the Internet.
In February 2012, a member of staff searched the Internet for his own name and job title. In the search results, he found the minutes of a council meeting about a child.
The website hosting that file also contained three other council documnts, all of which contained "highly sensitive" data about a number of children.
The employee alerted the council. Four hours later, "the data controller had removed the source documents from the website", according to a penalty notice from the Information Commissioner's Office.
Following an internal investigation, the council concluded that a particular employee had taken the files to work on from home. The employee's PC apparently contained a file transfer programme that automatically uploaded the contents of their 'My Documents' file onto the Internet.
The employee told the council that their PC was second hand and the file transfer programme must have been installed when they bought it.
How the council was able to remove the documents from the Interet within four hours of becoming aware of the incident, despite not knowing how they got there, is unclear. The ICO is unable to give any more information than is contained in the penalty notice.
The ICO fined the council because of the sensitivity of the data and because the incident revealed lax controls over the way employees handle documents. "The data controller did not supply the necessary technical measures required to safeguard personal data from employee's home," it said.
It added that the council's data protection training was inadequate.