29th October 2013
Another local authority has been fined for committing a serious data breach, underlining the importance for organisations to recognise the importance of safe data handling and storage, including encryption.
North East Lincolnshire Council has been fined £80,000 by the Information Commissioner's Office (ICO) following a serious data breach which resulted in the sensitive information of hundreds of children with special educational needs being lost.
The information was stored on an unencrypted memory stick. It was left in a laptop computer at the council's offices in July 2011 by a special educational needs teacher. When the teacher returned, the memory stick was missing and has never been recovered. The compromised sensitive personal information about 286 children at local schools included details of their mental and physical health problems and teaching requirements, as well as their dates of birth. The details of some home addresses and information about their home life were also on the device.
An internal report carried out by the council conceded that the health of the children affected would suffer because of the loss. The council had actually introduced a policy of encrypting portable devices three months previously, but failed to make sure that all memory sticks in current use by staff were encrypted. The council was unable to confirm if the teacher had received data protection training at the time of the loss.
Stephen Eckersley, the regulator's Head of Enforcement, said: “Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted. North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented. Mr Eckersley continued: “This breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people’s information is being looked after correctly.”
The ICO’s Group Manager for Technology, Simon Rice, has published a blog explaining the importance of encryption and the options available to organisations that need to encrypt their data.
The ICO has also published best practice advice for schools explaining the key issues they need to be aware of when processing people’s information. The guidance was developed after the ICO received feedback from 400 schools on their compliance with the Data Protection Act.