According to the ICO, one of the stolen laptops contained the council’s creditor payment history files, listing 20,143 people’s personal information — including 6,069 people’s bank account details.
The council had already been served with an enforcement notice from the ICO in 2010 following a similar breach in which an unencrypted memory stick containing personal data was lost. Still, the council had provided several of its staff members with unencrypted laptops, 74 of which remained unaccounted for, and at least six of which are known to have been stolen.
“How an organization can fail to notice that 74 unencrypted laptops have gone missing beggars belief,” ICO assistant commissioner for Scotland Ken Macdonald said in a statement. “The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.”
In addition to the £150,000 penalty, the council will also be required to carry out a full audit of its IT assets used to process personal data, to arrange for all of its manager to receive asset management training, and to carry out a full check of all of its devices on an annual basis.