The London Borough of Greenwich recently signed an undertaking with the Information Commissioner’s Office following two incidents in which unencrypted personal and sensitive information were disclosed due to: (1) failure to encrypt and (2) sending sensitive information by e-mail to external addresses at all . From the undertaking:
The Information Commissioner (the ‘Commissioner’) was provided with a report on 22 February 2011, detailing two incidents where sensitive personal data was inadvertently disclosed. The sensitive personal data in question included medical and family history plus criminal conviction information relating to a number of individuals, including minors.
The first incident occurred on 30 November 2010 when two unencrypted Council reports, including sensitive personal data, were sent via email to an incorrect external email address.
The second incident occurred on 08 December 2010, when an unencrypted ‘school fair access panel’ meeting agenda, which contained sensitive personal data, was sent to an incorrect external email address.
Both incidents were ultimately caused by human error as the senders failed to adhere to the Council’s ICT policy. This policy stated that email is not a secure or confidential medium and that confidential data must be encrypted in order to avoid access by unauthorized persons. However it is noted that at the time the incidents occurred, the policy did not explicitly state that the sending of emails containing sensitive personal data to external webmail addresses should be avoided. The Council intends to issue a revised policy which addresses this specific issue.