A monetary penalty notice has been served by the Information Commissioner’s Office on North East Lincolnshire Council after the loss of an unencrypted USB drive containing personal and sensitive personal data relating to 286 special needs children.
From the notice announcing the penalty:
On 1 July 2011 an unencrypted USB memory stick containing personal and sensitive personal data was lost on the data controller’s premises. A special educational needs teacher had been working with the information held on the USB stick while using a laptop that was connected to the data controller’s networked computer system. When logging off the system and leaving the office for the day, the teacher forgot to remove the USB stick. When the teacher realised the mistake and tried to retrieve the USB stick, it was gone. To date, the USB stick has not been recovered. The data controller completed an internal investigation in response to the incident.
The teacher worked in the data controller’s Special Educational Needs Support Service in the Children’s Services Directorate (‘the directorate’). The teacher would spend the majority of time away from council offices visiting schools and other community locations. The teacher was not primarily office based and did not have remote access to the data controller’s computer system. Information was saved on the USB stick as it enabled access to necessary data during visits to the different locations. The data controller issued the teacher with the USB stick in 2005.
The USB stick holds the personal and sensitive data of 286 pupils with special educational needs who attended schools in the data controller’s area. The pupils were aged between 5 and 16 years. The data consists of reports that cover issues such as dyslexia, Irlen syndrome and other mental and physical disabilities, school performance, learning issues and specific teaching strategies for pupils with special educational needs. All of the reports contain the name of the pupil and the school they attended. The majority of the reports contain the DOB of the pupil and some contain pupils’ home addresses. A small number of reports identify the parents of a pupil, and contain information about the ‘home-life’, which includes financial matters and family dynamics. The reports identify whether the pupil is deemed vulnerable and whether the data controller’s children’s services are involved. The reports are all protectively marked.
Following the incident, the data controller carried out a risk assessment for the potential damage and distress to the data subjects. The internal report estimated that the loss of the sensitive personal data is likely to lead to the ill-health of those affected through the disclosure of the data or due to a break in the services which they were receiving. The likely damage and distress to the data subjects is substantial due to the volume of data which has been lost, and that the data subjects are children aged 5 -16, some of whom are deemed vulnerable (and their families). The data subjects were not notified of the data breach.
The notice explains that the council had been using unencrypted memory sticks since 2005, and although it had implemented a policy of using encrypted sticks four months before the incident occurred, “it had failed to implement any effective short term plan to limit the risks.”
As a consequence of the incident, the ICO issued a monetary penalty of £80,000. One of the factors considered was that the council did not notify those affected, despite the fact that their own risk assessment after the incident recommended notification.