Sheffield-based charity Asperger’s Children and Carers Together (ACCT) and Nottingham-based charity Wheelbase Motor Project both breached the Data Protection Act by failing to encrypt computers that contained sensitive information relating to young people, the Information Commissioner’s Office (ICO) said today.

Both incidents occurred when the devices were stolen.  Asperger’s Children and Carers Together reported the breach after an unencrypted laptop, containing personal data relating to 80 children who attended its sessions, was stolen from an employee’s home in December last year.

The laptop was being used to store medication information as well as children’s names, addresses and dates of birth.

Wheelbase Motor Project also reported the breach after the theft of an unencrypted hard drive from the charity’s offices. The device contained personal information relating to 50 young people and included some details about past criminal convictions and child protection issues.

Acting Head of Enforcement, Sally-Anne Poole said:

“The ICO’s guidance is clear – any organisation that stores personal information on a laptop or other portable devices must make sure that the information is encrypted. Information about young people’s medical conditions or criminal convictions is obviously sensitive and should have been adequately protected.”

A new statutory code of practice designed to help businesses and public sector bodies share people’s personal information appropriately has been published today by the Information Commissioner’s Office (ICO).The ICO’s data sharing code of practice covers both routine and one-off instances of data sharing. It includes good practice advice that will be helpful to all organisations that share personal information – for example when local authorities share information with the health service or when building societies provide information to a credit reference agency. The code gives advice on when and how personal information can be shared as well as how to keep it secure. Along with the full code of practice, the ICO has also published a summary checklist that can be used as a quick reference guide to sharing information. By following the code, organisations should find they have:

• a better understanding of when, whether, and how personal information should be shared;
• improved trust and a better relationship with the people whose information they want to share;
• reduced risk of the inappropriate or insecure sharing of personal data; and
• minimised risk of breaking the law and consequent enforcement action by the ICO or other regulators.

The Data Sharing Code of Practice can be downloaded here

Information Commissioner, Christopher Graham, said:

“The code of practice we’ve issued today offers a best practice approach that can be applied in all sectors. It reflects the constructive comments we received during the consultation period, meaning that we can be confident that it not only makes sense on paper but will also work in the real world too. I’d encourage all businesses and public bodies that share personal data to get to grips with the code without delay so they can be sure they are getting it right.”

The code explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data. It also provides good practice advice that will be relevant to all organisations that share personal data.

Any data controller who is involved in the sharing of personal data should use the code to help them to understand how to adopt good practice.

At last, Sony and all involved in running the PlayStation Network have come clean with exactly what has happened with their network.

For the past few days, all access to the Playstation Network and Qriocity services have been unavailable as they turned off the service to investigate what has happened.

3 minutes ago, the user PlayStationEU on twitter announced a link to their latest blog post (here: click!). The blog post states:

we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained.

If you have a Playstation and you’ve signed up for the Playstation Network, it may be wise for you to consider changing your password or authentication details if they are the same on other sites or networks.

This is yet another example of the importance of ensuring your passwords are not all the same for every service. If you can use a three-word-phrase instead, use a three-word-phrase. For example, the password “abc123” is nowhere near as secure as “my dog smells”.

A School in Oldham has breached the Data Protection Act after the theft of an unencrypted laptop from a teacher’s car, the Information Commissioner’s Office (ICO) said today.

The laptop contained personal information relating to 90 pupils at the school.

The school reported the breach to the ICO in January after an unencrypted laptop was stolen from the boot of a teacher’s car when parked at their home overnight. The ICO’s enquiries found that the school was unaware of the need to encrypt portable and mobile storage devices, although it did have a policy in place informing staff that storage devices should not be kept in cars when away from the school premises.

The Head Teacher of Freehold Community School has signed an undertaking to ensure that portable and mobile devices including laptops and other portable media used to store and transmit personal data are encrypted using encryption software which meets the current standard or equivalent.

Staff will also be trained on how to follow the schools policy for the storage and use of personal data and the school has agreed that its policies on data protection and IT security issues will be appropriately and regularly monitored.

The ICO has produced guidance for schools, colleges and other educational institutions explaining their obligations under the Data Protection Act which can be found on the ICO website here.

NHS Birmingham East and North breached the Data Protection Act by failing to restrict access to files on their IT network, the Information Commissioner’s Office (ICO) announced today. The breach led to some NHS staff at their own Trust and two other NHS Trusts nearby potentially being able to access restricted information.
NHS Birmingham East and North reported the breach to the ICO in September last year after discovering that electronic files, stored on a shared network, were potentially accessible to their own employees and the employees of two other local Trusts.

The files contained information relating to thousands of individuals, including members of staff. Although health records were not compromised as part of the breach, the files also contained some high level information relating to patients.

The ICO’s investigation has found that, while most of the files were not easily accessible and some security restrictions were in place, file security in general was inadequate.

Cambridgeshire County Council breached the Data Protection Act by losing a memory stick containing sensitive data relating to vulnerable adults, the Information Commissioner’s Office (ICO) said today.

The ICO was informed by the council in November 2010 that an employee had recently lost an unencrypted memory stick containing personal data relating to a minimum of six individuals. The information included case notes and minutes of meetings relating to the individuals’ support and was saved on an unapproved memory stick. The device was used to store the information after the member of staff encountered problems using an encrypted memory stick that the council had previously provided free of charge.

Funnily enough, the breach occurred shortly after the council had undertaken an internal campaign aimed at promoting its encryption policy. During this time employees had been asked to hand in unencrypted devices and were warned about the importance of keeping personal information secure.

Mark Lloyd, Chief Executive of Cambridgeshire County Council has signed a formal undertaking to ensure that all portable devices used by the council are encrypted using encryption software that meets the current standard. The council has also agreed to carry out regular monitoring of its data protection policies and IT security measures in order to ensure that they are being followed by all staff.

Both Councils Fined

The Information Commissioner’s Office (ICO) today served Earling Council and Hounslow Council with monetary penalties for serious breaches of the Data Protection Act after the loss of two unencrypted laptops containing sensitive personal information.

Ealing Council – FINED £80,000

Hounslow Council – FINED £70,000

The bug potentially affects every user of the Internet Explorer web browser – around 900 million people worldwide.

In a security advisory, the company warned of a loophole that could be used by malicious hackers to steal private information or hijack computers.

Microsoft has issued a software patch to defend against attacks, and said it was working to develop a long-term fix.

Microsoft admitted that the problem meant users could easily be fooled into downloading malicious files by doing something as simple as clicking on a web link.

“When the user clicked that link, the malicious script would run on the user’s computer for the rest of the current Internet Explorer session,” wrote Microsoft representative Angela Gunn in a website announcement accompanying the advisory.

Once the computer had been hijacked, hackers could use it to steal personal data or send users to fake websites, she added.

The security advisory is available here, 2501696.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim’s Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

All Windows users – particularly those who use Internet Explorer – are being urged to download the fix while the company’s security team develop a way to plug the hole permanently.

For a faster browser experience, why not spend some time playing with Google Chrome?

Want to see just how fast? Look here for a cool video.

The Information Commissioner’s Office has revealed in a survey that 80% of people are concerned about protecting their personal information online.

Research commissioned by the ICO has also found that 96% of individuals surveyed are concerned that organisations do not keep their details secure, and a further 60% believe that they have lost control of the way their personal information is collected and processed.

In a move to mark European Data Protection Day, Information Commissioner, Christopher Graham, supported by Lord McNally, Minister of State at the Ministry of Justice, is urging people to take more care on social networking sites, to think before giving out their personal details online, and to understand what to do when things go wrong.

Information Commissioner, Christopher Graham, said:

It’s never been more important to protect your personal information. Whether you’re surfing the net, shopping online or signing up to social networking sites, it’s crucial that people are thinking about how their information might be used.
From employers looking up potential employees on Facebook to cyber criminals hacking into unsecured wifi networks, not protecting your personal information can cause serious harm and distress. European Data Protection Day is about motivating people to regain control of their right to privacy. I hope people of all ages across the UK will do just that.

A personal information toolkit is available on the ICO website here:
Personal Information Toolkit