West Berkshire Council is taking remedial action after the Information Commissioner’s Office (ICO) found it in breach of the Data Protection Act (DPA) following the loss of a USB stick containing the sensitive personal information of children and young people.
The memory stick, which was unencrypted and not password protected, contained, among other things, information relating to the ethnicity and physical or mental health of the children. The ICO found that unencrypted devices, in operation before the council introduced encrypted memory sticks in 2006, were still being used by members of staff. Further enquiries revealed staff had not received appropriate training in data protection issues and monitoring of compliance with the council’s policies was found to be inadequate. This is the second data security incident reported by West Berkshire Council within six months.
Nick Carter, Chief Executive of West Berkshire Council, has now signed a formal Undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted. Staff will also be made fully aware of the council’s policy for the storage of personal data and receive appropriate training on data protection and IT security issues.
Sally-anne Poole, Enforcement Group Manager at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children. A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands. I am aware that staff have been provided with encrypted USB sticks since 2006 but older devices were not recalled. I am pleased that the council has now taken action to prevent against further data breaches.”
A full copy of the Undertaking can be viewed here:
http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
Source: Information Commissioner’s Office