The Information Commissioner’s Office (ICO) has found that the Royal London Mutual Insurance Society breached the Data Protection Act (DPA) after eight laptops, two of which contained the personal details of 2,135 people, were stolen from the company’s Edinburgh offices. The individuals affected were employees of various firms which had sought pension scheme illustrations.
The two laptops containing personal information were unencrypted but were password protected. An internal report established that the company was uncertain about the precise location of the laptops at any given time and that physical security measures were inadequate. The report also revealed that managers were not aware that personal information was stored on any of the laptops, which meant no additional precautions to control and secure the data had been taken.
Mick Gorrill, Head of Enforcement at the ICO, said: ”It is crucially important that portable devices such as laptops containing personal information are properly protected. It is particularly concerning that the organisation was unaware of the whereabouts of the laptops at any given time or what information they held. All staff members should be fully aware of the policies and procedures in place to safeguard personal information and should be appropriately trained.