We almost take it for granted that local councils are going to lose personal information; but this latest from Glasgow City Council stands out. An unencrypted laptop, one of two, was stolen from its offices. One of the laptops contains personal data relating to nearly 40,000 customers; and that data includes the bank details of 10,382 suppliers and 6,069 residents, and at least the names and addresses of the others.
The robbery took place “between Monday 28 and Tuesday 29 May, [but] the full extent of the data loss did not become apparent until Wednesday, June 6,” says the council.
The ICO and local police have been informed and the council is sending a letter of apology to all those concerned. A council announcement on 12 June advises customers that “no one from the council will contact you by phone on this issue;” but that will be of little comfort to the 16,451 customers whose bank details were held on the laptop. Relevant banks have also been contacted.
The council clearly has some questions to answer. Why was this data stored on a laptop? Why was the laptop unencrypted? And why did it take more than a week to realize what was on the laptop?
The government also needs to ask itself whether the current data protection enforcement regime is adequate to the task.