Rotherham Council bosses decided to keep secret details of laptop thefts from their offices - despite being aware that ‘significant amounts of confidential information’ relating to a child abuse investigation and young people in care had been lost.
New information has now been made public about the theft of 21 laptops taken from the council’s Norfolk House offices on the night of October 26, 2011, by someone with apparent access to the building.
The ICO’s Freedom of Information has released copies of letters sent between it and Rotherham Council in relation to the matter, as well as some partially-redacted internal council emails.
They reveal that within a week of the theft, director of safeguarding and corporate parenting services Howard Woolfenden and children’s services boss Joyce Thacker were emailed by a member of staff tasked with finding out precisely what information had been lost.
An email sent to the pair by the unnamed worker said: “I am sorry to be the bearer of bad tidings.
“I have had a very cursory look at the H: drives of those staff who have had their laptops stolen. It does appear there are significant amounts of confidential information. As an example there are details of the sexploitation case involving taxi drivers.
“This includes names, addresses, birth dates of both the victims and the alleged perpetrators plus some narrative about the events.”
On December 12, Mr Woolfenden sent an email saying he had discussed the theft with the police and whether those whose names were contained on the stolen laptops should be informed about what had happened.
The published version of the email says: “I shared the adult names with the police and discussed with the Detective Inspector [name redacted] with responsibility for safeguarding. Their decision is not to inform the named adults on the list.
“I have discussed the children with [name redacted] and risk assessed the merit of telling or not telling some or all of the named individuals.
“In conclusion, we felt it was in the interests of all the named individuals that they should not be informed.”
According to Louise Casey’s damning report into Rotherham Council, on December 19, 2011, a report was prepared for the council’s senior leadership team which advised bosses that ‘the safety of vulnerable persons, particularly children, could be compromised if the information is accessed’ and it may be necessary to tell the Information Commissioner’s Office about what had happened due to the sensitivity of the information.
But the report also warned the council may be fined by the ICO for the data breach.
No minutes were taken of the leadership team meeting but the ICO was not informed about the theft.
In February 2012, the Rotherham Advertiser reported about the loss of the laptops, resulting in the ICO contacting the council to ask for an explanation about what information had disappeared.
The council responded in April 2012 and initially stated that five of the laptops, which were all protected from unauthorised access, contained a ‘small amount of personal data’.
It said one of the laptops contained notes of a meeting relating to a police investigation into child sexual exploitation, including the names of the teenagers concerned and some of their dates of birth and addresses.
Information stored on the other laptops included names of children in care and details of Probation Service letters about prisoners who were due to leave jail.
But Rotherham Council said it considered no ‘sensitive personal data’ was contained in any of the laptops.
The letter to the ICO from the council’s legal department said an investigation had concluded that the theft appeared to be ‘opportunistic’ and done not for the information on the laptop but to sell on the devices with new hard drives.
The council said it had taken the view there was ‘no clear purpose’ in informing the ICO about the data loss as only an ‘ICT specialist’ would be able to get around the security measures.
However, the Casey report published this February said a whistleblower claimed he had demonstrated to council bosses that the laptops could be broken into within two hours by following instructions found via Google.
In June 2012, the ICO issued a decision to Rotherham Council, stating the circumstances of the case were considered serious and ‘the failure of council staff to comply with its confidentiality and information security policies resulted in the potentially inappropriate disclosure of the information concerned’.
It found the information lost ‘appears likely to have be ‘sensitive personal data’ and has the potential to cause significant detriment to the individuals concerned if compromised’.
But it said that following ‘remedial steps’ from the council, including improved security and encryption measures, it would not be taking formal enforcement action against the authority.
The case was reopened by the ICO in December 2012 after it was provided with further information about other laptops being stolen from council premises.
In January 2013, the council stated there had been ‘no hint’ of the information stolen from Norfolk House becoming public, but did confirm other computer equipment had been stolen from the council in the past and two further laptop thefts had taken place since October 26, 2011.
Further exchanges between the ICO and the council revealed that in March 2010 an unencrypted laptop containing three reports about children was stolen.
In May 2013, the ICO ruled no further action would be taken against the council.
The Louise Casey report in February said: “Whilst it is not possible to prove exactly what was held and therefore what was lost, evidence seen by inspectors confirms that the council did cover up the scale of the loss known at the time.”