A councillor has said Lichfield District Council is “verging on negligent” by continuing to use unencrypted laptops three years after the issue was first identified.

Lichfield District Council House

Cllr Joanne Grange’s comments came at a meeting of the audit and member standards committee.

The session was debating a report which revealed that the local authority has been using a number of laptops since 2017 without adequate security measures.

“The biggest area of risk identified is that not all laptop computers are encrypted and that users are not prevented from copying data onto untrusted removable storage devices.

“Both these weaknesses remain, despite being previously reported as part of our audit on mobile computing in 2017 and could lead to a potential data breach as well as financial penalties under the GDPR/Data Protection Act 2018.”

Report to the meeting of the audit and member standards committee on 12th November

“I would struggle to sleep at night”

Cllr Grange told the meeting she would “struggle to sleep” if the data of a local resident was stolen as a result of the use of computer equipment without the correct security steps in place.

Joanne Grange

“While I appreciate COVID-19 has made things difficult, these are not new risks – the laptops has been a risk since 2017.

“I’m nervous letting this go. If we were subject to a hacking attack or if we lost residents’ data knowing what we know about the risks and how long they take to be addressed that feels very uncomfortable and verging on negligent.

“I’d want some assurance on how we can be certain residents’ data is safe.

“If we facilitate someone’s identity being stolen or suffering financial loss I would struggle to sleep at night having just agreed to roll the work over until February.”

Cllr Joanne Grange, Lichfield District Council

Cllr Dave Robertson, Labour representative for Curborough ward, said the council may need to put more resource into protecting data held about residents.

“If there is that significant a resourcing issue which has been there since April or May time and is likely to be there through December, do we need to be talking about whether we get some more staffing resources into IT?

“There is significant data which we don’t have full assurance about its security.”

Cllr Dave Robertson, Lichfield District Council

Cllr Grange, independent representative for Chadsmead ward, said the council needed to take the risks associated with the security of all data seriously.

“The risk is not to the council – but it is to our residents.

“It’s bank account details and National Insurance numbers for our employees as well as residents.

“We have got a very big responsibility when we are holding data that can identify people.

“The perception I’m getting is that as a council we are not taking this seriously.”

Cllr Joanne Grange, Lichfield District Council

“We take the security of residents’ data extremely seriously”

A spokesperson for Lichfield District Council said the laptops were due to be phased out in the New Year.

“We take the security and protection of our residents’ data extremely seriously and work with the National Cyber Security Centre to continuously monitor our network and computers.

“Of the total laptops the council has in active use, only 13 of these are unencrypted and have no residents’ personal data stored on them.

“As the 13 machines are nearing the end of their useable life, they have been identified to be replaced by January 2021.”

Lichfield District Council spokesperson

Ross

Founder of Lichfield Live and editor of the site.

Join the Conversation

15 Comments

  1. Sounds like a right mess and they should expect an independent audit to confirm compliance and improvements required

    Yet more poor news and corporate governance.

  2. I can’t believe what I’ve just read, thank you Cllr Grange for pursuing this.
    If data can be transferred onto a USB or whatever, then the issue will still be there when the 13 laptops are decommissioned.
    This is disgraceful.
    Fine to say no personal data is held on these laptops but how is this verified?
    It’s irrelevant that ‘only 13’ are affected, it only takes 1 to be hacked.
    This really is shocking and unbelievable and I expect the Council to deal with it as a priority.

  3. This is very worrying.

    Most organisations have some sort of controls on the movement of data and how it is handled. Should a certain user really be downloading huge amounts of personal data?

    The usage of removal storage devices has been questionable for years. So many lost on trains, in coffee shops….. most encryption can be reversed if you know what you are doing.

  4. It’s important to keep data safe of course, but if the unencrypted laptops don’t actually have any confidential personal information on them, how would encrypting them make them safer?

  5. @John Allen – if this were your bank you’d be, rightly, furious.
    This is a potentially a serious breach of GDPR – unless they can prove it isn’t.
    Audits go back 3 years on this – that’s surely the big point? 3 years ?!?
    It’s so serious I think people won’t believe a govt agency – council here – could be this lax.
    I expect a Council statement about this – personal data is precious and I expect anyone with mine to honour that – don’t you…?
    I’m still reeling at what I read yesterday and even if it’s all fine after an investigation, we shouldn’t have to hear this.
    Govt agencies should have secure firewalls and standards in place per the law.
    Again, thank you Cllr Grange for bringing it to our attention and keeping going with it. Please keep us informed of progress.

  6. It’s probably worth me giving a bit of explanation. The whole meeting is available on YouTube if anyone wants to watch and the papers we were discussing are in the public domain and are available on this link:
    https://democracy.lichfielddc.gov.uk/documents/g1660/Public%20reports%20pack%2012th-Nov-2020%2018.00%20Audit%20and%20Member%20Standards%20Committee.pdf?T=10

    The issue of unencrypted laptops was identified on page 72 along with the detail that “users are not prevented from copying data onto untrusted removable storage devices”. Further it is explained that both these weaknesses were reported in 2017.

    However, I also considered this risk in conjunction with the details on page 60 and page 74 in respect of GDPR audits. The first GDPR audit only gave limited assurance and identified 14 high and medium risk recommendations, of which just 4 had been actioned fully and 10 only partially by the time the follow up audit was performed. The follow up audit was then also only given “limited assurance” status.

    Page 169 in the report pack gives the data protection policy and GDPR update and page 172 details further risks but none of these appears to recognise the impact that these risks crystallising would have on individuals if their data fell into the wrong hands, and all impacts are shown as “low”.

    So I was presented with information that there are unencrypted laptops, there is the potential for untrusted removable storage devices to be used and there were limited assurance audits on GDPR with a seeming failure to follow up actions in good time – 3 years in the case of the laptops and storage devices. The impact of the risks crystallising is considered “low” and focuses solely on the impact to the council rather than to residents or employees.

    Trying to make a name for myself or genuine concern about risks? I’d say the latter and it’s my role to speak in council meetings about these things where I see there could be an impact on people, but I guess it’s down to others to decide.

  7. @Kitty Whilst I do agree that it would probably be wise for all laptops to have encryption, people need to keep a sense of perspective here. You seem to be assuming that if you work in a local authority, that you automatically have access to information about residents.

    There are a lot of different jobs within a local authority, and many of them don’t have or need access to personal data. There’s no breach of GDPR if there’s no personal identifiable information involved.

    Using your example, I wouldn’t be furious to find out that someone in my bank didn’t have an encrypted laptop if it turned out they only dealt with engineering or architectural issues, and didn’t have any access to details of customers. I’d think it a bit foolish perhaps, but nothing for me to get cross about.

  8. @Asellus Aquaticus – I agree with your sentiments. Unfortunately we didn’t have any information about what the unencrypted laptops were used for – just that they exist!

  9. @Asellus Aquaticus – I’d expect roles are allocated IT access based on their need.
    However, unencrypted devices and usage of removable storage devices increases risk.
    This isn’t just about risk assessment though, it may be that the risk is quite small. The Cllr doesn’t feel assured that’s the case though.
    The point is, it’s an audit point which is now three years old. It should have been actioned and closed a long time ago. I do wonder if an audit has highlighted anything similar, since 2017?
    The issue as well seems to be, they can’t be certain that PII isn’t affected.
    I think this is a serious issue. It needs attention and assurance and a clarification. And the Cllr is spot on to highlight these points.

  10. I work in IT. For this to be flagged three years ago, for nothing to be done? Utterly reprehensible. A massive risk to sensitive data, a potential for leaks and an worryingly relaxed attitude to it all too.

  11. We all get spoof emails and unsolicited calls from scammers who try to get access to our bank details. Only this week I had a very convincing email purporting to be from Royal Mail. All they need to get started is your email address or phone number.
    If the council is not able to protect us from potential fraud when we give them information, even our bank details, then they are not fit for purpose. This is not a trivial concern as many are vulnerable and the outcome could have dire consequences.
    The council should be ashamed to be so cavalier with information entrusted to them in good faith by the community.

  12. Just another item to be added to the list of our glorious council failures. Although this is probably the responsibility of employed officers rather than councillors.

  13. Fair enough.

    Joanne, I didn’t for one minute subscribe to the idea that you were out to make a name for yourself, it’s very obvious to me that you are a Councillor for all the right reasons.

    And I agree that if this was raised three years ago it should have been addressed.

    But… some of the commentators on here do need to understand that risk is relative. If this was about the risk of council workers accessing resident’s information when they shouldn’t, then some of the outrage on here might be justified. However, raising people’s fears by suggesting that their personal data is available to (and at risk of disclosure from) each and every council employee is paranoid nonsense that needs to be addressed and refuted.

Leave a comment

Your email address will not be published. Required fields are marked *