The privacy blunder that cost a city big (and how to avoid it)

Wed, 2013-09-04 06:01 -- Jesse Berst

data privacyHere at the Smart Cities Council, we recommend that cities implement a citywide privacy program. The example below explains why. This UK city was just fined roughly $150,000 when a social services employee accidentally published sensitive information about vulnerable children.

If it was simply a stupid mistake by one employee, why did the UK's Information Commissioner's Office levy the fine? For failing to have the right policies and security measures in place.

You may think you don't have the budget for citywide, cross-departmental privacy standards. I'll argue that you are wrong for several reasons. First, penalties like the one below can easily erase the "savings" from ignoring the problem. Second, a single, citywide effort will probably cost less than having each department re-invent the privacy wheel. Third, you don't have to start from scratch, you can borrow from those who have gone before. Study the best practices published by Ontario's Information and Privacy Commissioner. Or those from the Future of Privacy Forum.     

The fine, of course, represents only a fraction of the damage done to the city administration and its reputation with citizens. Don't let your city make this mistake. Institute a citywide data privacy policy that applies to all departments. -- Jesse Berst

The Aberdeen (Scotland) City Council was fined €100,000 after an employee working from home published data online about vulnerable children in the care of social services, according to a report in UK-based Computing.

The information remained online and freely available for three months. The breach was finally discovered when another employee came across it during a web search.

The €100,000 fine was levied by the Information Commissioner's Office (ICO), which investigated and found the Aberdeen Council didn't have a work-from-home policy for its staff, didn't have security measures in place to stop the release of sensitive information and didn't have a system in place to know if the data guidelines it did have in place were being followed.

Computing quoted an ICO official about the situation: "As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure," said Ken Macdonald, Assistant Commissioner for Scotland at the ICO.

Added Richard Anstey, CTO EMEA for Intralinks: "Too many councils are getting fined and we are seeing this way too often - clearly lessons aren't being learned."


Jesse Berst is the founding Chairman of the Smart Cities Council. Click to subscribe to SmartCitiesNow, the weekly newsletter highlighting smart city trends, technologies and techniques.