Local Authority fined £80k for losing unencrypted USB stick

North East Lincolnshire Council has been fined a monetary penalty of £80,000 (eighty thousand pounds) for failing to encrypt a USB stick that contained personal information about the physical or mental health of pupils and their teaching requirements as well as information about their home life.

On 1 July 2011 an unencrypted USB memory stick containing personal and sensitive personal data was lost on the data controller’s premises. A special educational needs teacher had been working with the information held on the USB stick while using a laptop that was connected to the data controller’s networked computer system.

When logging off the system and leaving the office for the day, the teacher forgot to remove the USB stick. When the teacher realised the mistake and tried to retrieve the USB stick, it was gone. To date, the USB stick has not been recovered. The data controller completed an internal investigation in response to the incident.

Stephen Eckersley, ICO head of enforcement, said: “Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted.”

He went on to say: “North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented. This breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people’s information is being looked after correctly.”