A Scottish advocate breached the Data Protection Act after failing to encrypt a laptop containing sensitive personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.

The laptop was stolen from the home of Ruth Crawford QC in 2009 when she was away on holiday. It contained personal data relating to a number of individuals involved in eight court cases the advocate had been working on. This included some details relating to the physical and mental health of individuals involved in two of the cases. The device has not been recovered; however, most of the information compromised would already have been released as evidence in court papers.

The breach was only reported to the ICO on 30 August 2011 when the last case relating to information held on the laptop was concluded. The ICO’s enquiries found that, whilst Ms Crawford had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.

The QC has now agreed to put the necessary changes in place to ensure this type of incident does not happen again. This includes locking away any personal information stored at her home and following any future data protection guidance issued by the Faculty of Advocates or her stable.

Ken Macdonald, Assistant Commissioner for Scotland said:

The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.

 

As this incident took place before the 6 April 2010 the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

Rochdale Metropolitan Borough Council breached the Data Protection Act by losing an unencrypted memory stick containing the details of over 18,000 residents, the Information Commissioner’s Office (ICO) said today. The ICO has required the council to put changes in place and will check to ensure the improvements have been made.

The memory stick – which was lost in May and has not been recovered – included, in some cases, residents’ names and addresses, along with details of payments to and by the council. The device did not include any bank account details. The information had been put on a memory stick to compile the council’s financial accounts.

The ICO’s investigation found that the council’s data protection practices were insufficient – specifically that it failed to make sure that memory sticks provided to its staff were encrypted. The council also failed to provide employees with adequate data protection training. As well as requiring the council to put all of the changes in place by 31 March 2012, the ICO will follow up with the council to ensure that the agreed actions have been implemented.

Acting Head of Enforcement, Sally Anne Poole said:

“Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people.

“Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that’s why we will follow up with the council, to ensure they’re doing everything they can to prevent this type of incident happening again.”

Newcastle Youth Offending Team breached the Data Protection Act by failing to encrypt a laptop containing personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.

The laptop – which contained personal data relating to 100 young people – was reported stolen from a contractor’s home in the Northumbria area in January. The contractor had been working on a youth inclusion programme on behalf of the Team. The majority of the personal data stored on the laptop included names, addresses, dates of birth and the name of the school the young person attended.

The ICO’s investigation found that, although Newcastle Youth Offending Team had a contract in place with the contractor, there was a failure to ensure that its employees were complying with necessary security measures.

Acting Head of Enforcement, Sally-Anne Poole, said:

“Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure. But, to their detriment, not enough data handlers are making use of it. This case also highlights how important it is to ensure that watertight procedures are in place before any work is undertaken by contractors. Organisations shouldn’t simply assume that third parties will handle personal data in line with their usual standards. I’m pleased that Newcastle Youth Offending Team has learned lessons from this incident and hope that it encourages others to heed our advice.”

Consider IT perform laptop encryption in the Edinburgh area on a regular basis. We can consult with you to determine the appropriate security principles you should have in place to ensure you don’t breach the Data Protection Act. For more information on our Encryption Service, click here.

Two organisations have taken action after they breached the Data Protection Act by failing to encrypt personal information on laptops that were later stolen, the Information Commissioner’s Office (ICO) said today.

The Association of School and College Leaders (ASCL) breached the Data Protection Act in May 2011 when a laptop – containing sensitive personal data – was stolen from an employee’s home in Yorkshire. The ICO’s enquiries found that, while the laptop had encryption software installed on it, the decision on whether to encrypt individual documents was left to the employee. At the time of the theft the laptop included unencrypted personal information relating to approximately 100 individuals, including details of their membership of the union and in some cases, details of their physical or mental health.

In a similar incident, Holly Park School in Barnet breached the Act when an unencrypted laptop was stolen from an unlocked office at the school on 1 May. The device contained details of pupils’ names, addresses, exam marks and some limited information relating to their health. After investigating the breach the ICO also discovered that the school had no data protection policy in place at the time of the theft.

Acting Head of Enforcement, Sally Anne Poole said:

“The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.”

Both organisations have now taken action to make sure the personal information they handle is protected. This includes ensuring that portable devices used to store personal data – including laptops – are appropriately encrypted. Both organisations will also introduce adequate checks to make sure their employees are following policies and procedures governing the secure use of personal information.

Consider IT have a range of encryption services that would be ideal for securing your important business data. Click here to find out more.

The University Hospital of South Manchester NHS Foundation Trust breached the Data Protection Act by losing sensitive personal information relating to the treatment of 87 patients, the Information Commissioner’s Office (ICO) said today.

The information was lost after a medical student – who had been on a placement at the hospital’s Burns and Plastics Department – copied data onto a personal, unencrypted memory stick for research purposes. The memory stick was then lost by the student during a subsequent placement in December last year.

The ICO’s investigation uncovered that the hospital had assumed that the student had received data protection training at medical school and therefore did not provide them with the induction training given to their own staff.

The hospital has now agreed to take significant steps to ensure that the personal information accessed by students working at the hospital is kept secure. This includes making sure all students are aware of data protection policies.

Sally Anne Poole, Acting Head of Enforcement said:

“This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature. Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations. NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job.

“While we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education providers to make sure that data protection training is a mandatory part of people’s education.”

A further undertaking has been signed by the London Ambulance Service who breached the Data Protection Act after a personal laptop was stolen from a contractor’s home. The laptop contained contact details and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. The Trust has now taken action to ensure that contractors are made aware of its existing policy on the use of personal data, which states that staff should not store patients’ information on their personal computers.

Two London housing bodies breached the Data Protection Act after details relating to thousands of their tenants were discovered on an unencrypted memory stick left in a pub, the Information Commissioner’s Office (ICO) said today. The memory stick was handed in to the police and safely retrieved at a later date.

The memory stick belonged to a contractor who was carrying out work for Lewisham Homes and had previously also worked for Wandle Housing Association. The contractor had copied the information held on the memory stick from both organisations’ networks. The device contained details of over 20,000 tenants of Lewisham Homes and 6,200 tenants of Wandle Housing Association. Nearly 800 of the records belonging to Lewisham Homes also contained tenants’ bank account details.

Both organisations have agreed to make sure that all portable devices used to store personal information are encrypted. All staff, including contractors, must follow existing policies and procedures on the handling of personal information. All staff, including contractors and temporary staff, will also be monitored to ensure they are taking the appropriate measures to keep the personal information they are handling secure.

Sally-Anne Poole, Acting Head of Enforcement at the ICO, said:

“Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office. Luckily, the device was handed in and there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected.”