May, 2011

Sheffield-based charity Asperger’s Children and Carers Together (ACCT) and Nottingham-based charity Wheelbase Motor Project both breached the Data Protection Act by failing to encrypt computers that contained sensitive information relating to young people, the Information Commissioner’s Office (ICO) said today.

Both incidents occurred when the devices were stolen.  Asperger’s Children and Carers Together reported the breach after an unencrypted laptop, containing personal data relating to 80 children who attended its sessions, was stolen from an employee’s home in December last year.

The laptop was being used to store medication information as well as children’s names, addresses and dates of birth.

Wheelbase Motor Project also reported the breach after the theft of an unencrypted hard drive from the charity’s offices. The device contained personal information relating to 50 young people and included some details about past criminal convictions and child protection issues.

Acting Head of Enforcement, Sally-Anne Poole said:

“The ICO’s guidance is clear – any organisation that stores personal information on a laptop or other portable devices must make sure that the information is encrypted. Information about young people’s medical conditions or criminal convictions is obviously sensitive and should have been adequately protected.”

A new statutory code of practice designed to help businesses and public sector bodies share people’s personal information appropriately has been published today by the Information Commissioner’s Office (ICO).The ICO’s data sharing code of practice covers both routine and one-off instances of data sharing. It includes good practice advice that will be helpful to all organisations that share personal information – for example when local authorities share information with the health service or when building societies provide information to a credit reference agency. The code gives advice on when and how personal information can be shared as well as how to keep it secure. Along with the full code of practice, the ICO has also published a summary checklist that can be used as a quick reference guide to sharing information. By following the code, organisations should find they have:

• a better understanding of when, whether, and how personal information should be shared;
• improved trust and a better relationship with the people whose information they want to share;
• reduced risk of the inappropriate or insecure sharing of personal data; and
• minimised risk of breaking the law and consequent enforcement action by the ICO or other regulators.

The Data Sharing Code of Practice can be downloaded here

Information Commissioner, Christopher Graham, said:

“The code of practice we’ve issued today offers a best practice approach that can be applied in all sectors. It reflects the constructive comments we received during the consultation period, meaning that we can be confident that it not only makes sense on paper but will also work in the real world too. I’d encourage all businesses and public bodies that share personal data to get to grips with the code without delay so they can be sure they are getting it right.”

The code explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data. It also provides good practice advice that will be relevant to all organisations that share personal data.

Any data controller who is involved in the sharing of personal data should use the code to help them to understand how to adopt good practice.