Two London housing bodies breached the Data Protection Act after details relating to thousands of their tenants were discovered on an unencrypted memory stick left in a pub, the Information Commissioner’s Office (ICO) said today. The memory stick was handed in to the police and safely retrieved at a later date.

The memory stick belonged to a contractor who was carrying out work for Lewisham Homes and had previously also worked for Wandle Housing Association. The contractor had copied the information held on the memory stick from both organisations’ networks. The device contained details of over 20,000 tenants of Lewisham Homes and 6,200 tenants of Wandle Housing Association. Nearly 800 of the records belonging to Lewisham Homes also contained tenants’ bank account details.

Both organisations have agreed to make sure that all portable devices used to store personal information are encrypted. All staff, including contractors, must follow existing policies and procedures on the handling of personal information. All staff, including contractors and temporary staff, will also be monitored to ensure they are taking the appropriate measures to keep the personal information they are handling secure.

Sally-Anne Poole, Acting Head of Enforcement at the ICO, said:

“Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office… this incident could so easily have been avoided if the information had been properly protected.”

Sheffield-based charity Asperger’s Children and Carers Together (ACCT) and Nottingham-based charity Wheelbase Motor Project both breached the Data Protection Act by failing to encrypt computers that contained sensitive information relating to young people, the Information Commissioner’s Office (ICO) said today.

Both incidents occurred when the devices were stolen.  Asperger’s Children and Carers Together reported the breach after an unencrypted laptop, containing personal data relating to 80 children who attended its sessions, was stolen from an employee’s home in December last year.

The laptop was being used to store medication information as well as children’s names, addresses and dates of birth.

Wheelbase Motor Project also reported the breach after the theft of an unencrypted hard drive from the charity’s offices. The device contained personal information relating to 50 young people and included some details about past criminal convictions and child protection issues.

Acting Head of Enforcement, Sally-Anne Poole said:

“The ICO’s guidance is clear – any organisation that stores personal information on a laptop or other portable devices must make sure that the information is encrypted. Information about young people’s medical conditions or criminal convictions is obviously sensitive and should have been adequately protected.”

A new statutory code of practice designed to help businesses and public sector bodies share people’s personal information appropriately has been published today by the Information Commissioner’s Office (ICO).The ICO’s data sharing code of practice covers both routine and one-off instances of data sharing. It includes good practice advice that will be helpful to all organisations that share personal information – for example when local authorities share information with the health service or when building societies provide information to a credit reference agency. The code gives advice on when and how personal information can be shared as well as how to keep it secure. Along with the full code of practice, the ICO has also published a summary checklist that can be used as a quick reference guide to sharing information. By following the code, organisations should find they have:

• a better understanding of when, whether, and how personal information should be shared;
• improved trust and a better relationship with the people whose information they want to share;
• reduced risk of the inappropriate or insecure sharing of personal data; and
• minimised risk of breaking the law and consequent enforcement action by the ICO or other regulators.

The Data Sharing Code of Practice can be downloaded here

Information Commissioner, Christopher Graham, said:

“The code of practice we’ve issued today offers a best practice approach that can be applied in all sectors. It reflects the constructive comments we received during the consultation period, meaning that we can be confident that it not only makes sense on paper but will also work in the real world too. I’d encourage all businesses and public bodies that share personal data to get to grips with the code without delay so they can be sure they are getting it right.”

The code explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data. It also provides good practice advice that will be relevant to all organisations that share personal data.

Any data controller who is involved in the sharing of personal data should use the code to help them to understand how to adopt good practice.

At last, Sony and all involved in running the PlayStation Network have come clean with exactly what has happened with their network.

For the past few days, all access to the Playstation Network and Qriocity services have been unavailable as they turned off the service to investigate what has happened.

3 minutes ago, the user PlayStationEU on twitter announced a link to their latest blog post (here: click!). The blog post states:

we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained.

If you have a Playstation and you’ve signed up for the Playstation Network, it may be wise for you to consider changing your password or authentication details if they are the same on other sites or networks.

This is yet another example of the importance of ensuring your passwords are not all the same for every service. If you can use a three-word-phrase instead, use a three-word-phrase. For example, the password “abc123” is nowhere near as secure as “my dog smells”.

A School in Oldham has breached the Data Protection Act after the theft of an unencrypted laptop from a teacher’s car, the Information Commissioner’s Office (ICO) said today.

The laptop contained personal information relating to 90 pupils at the school.

The school reported the breach to the ICO in January after an unencrypted laptop was stolen from the boot of a teacher’s car when parked at their home overnight. The ICO’s enquiries found that the school was unaware of the need to encrypt portable and mobile storage devices, although it did have a policy in place informing staff that storage devices should not be kept in cars when away from the school premises.

The Head Teacher of Freehold Community School has signed an undertaking to ensure that portable and mobile devices including laptops and other portable media used to store and transmit personal data are encrypted using encryption software which meets the current standard or equivalent.

Staff will also be trained on how to follow the schools policy for the storage and use of personal data and the school has agreed that its policies on data protection and IT security issues will be appropriately and regularly monitored.

The ICO has produced guidance for schools, colleges and other educational institutions explaining their obligations under the Data Protection Act which can be found on the ICO website here.

NHS Birmingham East and North breached the Data Protection Act by failing to restrict access to files on their IT network, the Information Commissioner’s Office (ICO) announced today. The breach led to some NHS staff at their own Trust and two other NHS Trusts nearby potentially being able to access restricted information.
NHS Birmingham East and North reported the breach to the ICO in September last year after discovering that electronic files, stored on a shared network, were potentially accessible to their own employees and the employees of two other local Trusts.

The files contained information relating to thousands of individuals, including members of staff. Although health records were not compromised as part of the breach, the files also contained some high level information relating to patients.

The ICO’s investigation has found that, while most of the files were not easily accessible and some security restrictions were in place, file security in general was inadequate.

Cambridgeshire County Council breached the Data Protection Act by losing a memory stick containing sensitive data relating to vulnerable adults, the Information Commissioner’s Office (ICO) said today.

The ICO was informed by the council in November 2010 that an employee had recently lost an unencrypted memory stick containing personal data relating to a minimum of six individuals. The information included case notes and minutes of meetings relating to the individuals’ support and was saved on an unapproved memory stick. The device was used to store the information after the member of staff encountered problems using an encrypted memory stick that the council had previously provided free of charge.

Funnily enough, the breach occurred shortly after the council had undertaken an internal campaign aimed at promoting its encryption policy. During this time employees had been asked to hand in unencrypted devices and were warned about the importance of keeping personal information secure.

Mark Lloyd, Chief Executive of Cambridgeshire County Council has signed a formal undertaking to ensure that all portable devices used by the council are encrypted using encryption software that meets the current standard. The council has also agreed to carry out regular monitoring of its data protection policies and IT security measures in order to ensure that they are being followed by all staff.

Both Councils Fined

The Information Commissioner’s Office (ICO) today served Earling Council and Hounslow Council with monetary penalties for serious breaches of the Data Protection Act after the loss of two unencrypted laptops containing sensitive personal information.

Ealing Council – FINED £80,000

Hounslow Council – FINED £70,000