A Scottish charity – based in Glasgow – breached the Data Protection Act after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.
The information included peoples’ names, addresses and dates of birth, as well as a limited amount of data relating to the individuals’ health. The charity – Enable Scotland (Leading the Way) – promptly reported the incident to the ICO in November 2011 and informed those individuals affected.
The ICO’s investigation found that the information should have been deleted from the memory sticks once it had been uploaded onto the charity’s server. The charity had no specific guidance for home workers on keeping personal data secure, and portable media devices used to store sensitive personal information were not routinely encrypted.
Peter Scott, Chief Executive of Enable Scotland, has now signed an undertaking, committing the charity to improving its compliance with the Data Protection Act. This includes making sure laptops used to store sensitive personal data are encrypted. Hard copy files will only be removed from the office when absolutely necessary and will contain the minimum amount of personal data required. Guidance will also be provided to home workers, to ensure that any personal data taken outside of the office is kept secure.
The Office of Inadequate Security
