Glasgow City Council fined £150,000 for loss of unencrypted laptops
Glasgow City Council has been fined £150,000 for the loss of two unencrypted laptops, one of which contained personal details of more than 20,000 people.
The fine was issued by the Information Commissioner's Office.
The ICO discovered that a further 74 unencrypted laptops were missing, six of which were known to be stolen.
Glasgow City Council said it took immediate steps to ensure a similar breach did not happen again.
The council had been issued with an enforcement notice three years ago after an unencrypted memory stick containing personal data was lost.
The latest Data Protection Act breach resulted from two laptops being stolen from council offices on 28 May last year.
The premises were insecure as they were were being refurbished and there had already been complaints of theft and a lack of security.
One laptop had been locked away in its storage drawer and the key placed in the drawer where the second laptop was kept, but the second drawer was subsequently left unlocked overnight, allowing the thief access to both laptops.
One of the laptops stolen contained the council's creditor payment history file, listing the personal information of 20,143 people, including the bank account details of 6,069 individuals.
The employees who used the laptops had asked for them to be encrypted but this had not happened.
The ICO's investigation found that, despite its previous warning and in breach of its own policy, the council had issued a number of its staff with unencrypted laptops after encountering problems with the encryption software.
While most of these devices were later encrypted, the ICO also discovered that a further 74 unencrypted laptops remain unaccounted for.
Ken Macdonald, the ICO's assistant commissioner for Scotland said: "How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief.
"The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people's details have been compromised.
"Glasgow City Council was issued with an enforcement notice back in 2010 after a similar incident where an unencrypted memory stick was lost.
"To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow.
"The council should be held to account, and the penalty goes some way to achieving that."
The ICO has also served the council with an enforcement notice requiring it to carry out a full audit of its IT assets used to process personal data and arrange for all of its managers to receive asset management training.
The council must also carry out a full check of all of its devices each year so that the asset register can be kept up to date.
A Glasgow City Council spokesman said: "This data loss should not have happened and we took immediate steps to ensure it does not happen again. It is important to note that the number of unencrypted laptops was already coming down when this theft occurred.
"The council co-operated fully with the Information Commissioner's Office and wrote to everyone potentially affected to advise them of the data loss.
"The ICO acknowledges there is no evidence that any bank accounts have been targeted, that the council immediately informed it of the theft and that we carried out significant remedial action."