PUBLISHED: 10:45 10 December 2009 | UPDATED: 14:47 06 May 2010
SIR – I observed the special cabinet meeting where the council s loss of confidential data was discussed (December 1). In my work I am not unfamiliar with the Data Protection Act and risk assessments. Recently I contributed to a professional study group
SIR - I observed the special cabinet meeting where the council's loss of confidential data was discussed (December 1).
In my work I am not unfamiliar with the Data Protection Act and risk assessments.
Recently I contributed to a professional study group's publication which focused on the risks associated with data protection.
I'm afraid therefore in my opinion your headline in the following edition of the Herts Advertiser "Council alerts banks over laptop data theft" might have given affected residents a false sense of security.
From my understanding on the night, nearly four weeks after the theft of the laptop had been noticed, the critical information had still not been passed to the police.
In fact banks and other financial institutions could not be alerted until residents had been informed and given the opportunity to have an opt-out on this data being passed on.
That meant the people affected had been left with no protection, unless they had already taken measures of their own when they were first informed two weeks after the data was found to be missing. It only takes a few days to compromise any data.
It was noticeable that most of the questions posed to the council's chief executive came from councillors not on the cabinet.
The cabinet it seemed to me to look as if they wished to be anywhere but in the eye of this storm of the council's own making.
The head of IT was present and I am sure he could have answered the questions but in my opinion had been gagged.
The answers given were wishy-washy and certainly did not impress me.
As you have reported a man has been arrested in connection with the laptop thefts. I have also seen a quote from a councillor that the man was allegedly a contractor working for the council.
If this is the case, this information is obviously a critical factor in any risk assessment residents need to make on the security of their data.
About three weeks ago the council acknowledged at the meeting they could have spent £50,000 and offered security vetting for all the over 14,000 residents affected.
However they decided not to do this and fell back on the shelter of the Data Protection Act putting the onus on the residents to prove the council was liable for damages for losing their data.
This I suggest will be almost impossible to do and the council knows this.
Accountability seems to be the crux of the matter now. The council has acknowledged it failed to adhere to its own data protection policy.
Near to the end of the public part of the meeting we learnt that IT was under the care of the culture and heritage portfolio holder.
Who gave this portfolio holder with such an extensive brief data security as an ad-on to his brief?
The council has been slow and unnecessarily bureaucratic in reacting firstly to the loss of the data and since then compounded their failures by doing precious little to protect residents whose data was stolen.
I feel the leader of the council, the portfolio holder, the chief executive and head of IT have each in their way failed in their responsibilities.
I know what would happen in the private sector. I will be watching with great interest on how these people respond in this case.
Tennyson Road, St Albans
If you value what this story gives you, please consider supporting the Herts Advertiser. Click the link in the orange box above for details.