The Information Commissioner’s Office (ICO) has found St Albans City and District Council in breach of the Data Protection Act. A laptop was stolen which was used to store postal voters’ records as part of an election process in June 2009.
The personal information, which was password protected but unencrypted, remained on the laptop when it was no longer required. At a later date it was left unsecured on a desk until it was discovered missing on 5 November 2009 along with three other laptop computers belonging to the council.
Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: “When organisations store large volumes of personal details on portable computers, encryption is essential. They must ensure staff and contractors are trained to handle personal information securely to avoid the risk of information falling into the wrong hands. It is also crucial organisations don’t keep personal information for longer than is necessary.”
Anyone who processes personal information must comply with eight principles, which make sure that personal information is:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Not transferred to other countries without adequate protection