Edinburgh Council Lacked Infosecurity Policy Before Major Breach

Written by

UK data protection watchdog the Information Commissioner’s Office (ICO) has criticized Edinburgh Council for failing to have an information security policy in place, following a data breach that led to the theft of 13,000 email addresses.

The ICO’s newly released audit concluded that the local authority provided only a “limited level of assurance that processes and procedures are in place and delivering data protection compliance.”

It added that there was “considerable scope for improvement” to reduce the risk of non-compliance with the Data Protection Act.

Most notable among the council’s noted failings was the fact it didn’t have an information security manager or a security policy in place—contravening local public services data handling guidelines.

What’s more, only 3,000 out of a staff of 18,000 have completed the mandatory Information Governance Foundation e-learning course, the ICO said.

“Information Asset Owners (IAOs) are not currently embedded at CEC [City of Edinburgh Council] and the corporate Information Asset Register (IAR) is in the nascent stages of development,” it added.

“There is no documented target for subject access compliance across CEC. There is no record of the rationale for applying exemptions or withholding third party data in response to subject access requests.”

However, the ICO did note several areas of good practice. Contractor Iron Mountain prepares a monthly report highlighting any files which haven’t been returned, and raising the matter with the relevant part of the council.

Also, staff are required to draft any sharing agreements and submit them to the Information Governance Unit (IGU) and Legal Services for review before the Information Council (IC) will provide sign off.

Andrew Barratt, European managing director of security compliance firm Coalfire, said the problems highlighted at Edinburgh Council are seen all over the country, often made worse when information security budgets are cut due to austerity measures.

“By not appointing someone responsible for ensuring information security commitments are being met there is a significant likelihood that limited to no budget will be available and nobody has the authority to enforce action,” he added. 

“This is also a quick win, put someone on point for data protection and information security even if the plans for execution are long term there is a resource available to drive the change.”

The lack of an overall security policy is “unforgivable,” Barratt argued.

“Many councils openly publish these policies or have versions of data quality and management policies that are available for public consumption,” he said. “Edinburgh Council could have easily taken lessons learned from some of its peers and started some form of basic security program.”

The data breach was made public back in July when attackers made off with 13,000 email addresses after targeting the council’s web hoster.

What’s hot on Infosecurity Magazine?