The Information Commissioner (ICO) was informed on February 12, 2015 that a removable hard drive containing personal data had been taken home by a member of staff and that the employee had subsequently failed to return it.
The removable hard drive contained a back-up of Community Transport Ltd’s customer database, which contained 4,138 individual records. This included some limited medical data.
The standard procedure at Community Transport Ltd at the time of the incident was for a member of staff to take the back-up tape home each day so that it could be stored offsite. On this occasion, the member of staff tasked with taking the back-up tape home unexpectedly failed to return to work. There’s no explanation as to why they didn’t they just send someone to the house to retrieve it, or if the employee was incapacitated or unavailable, to contact next of kin.
The ICO’s investigation revealed a number of weaknesses in data protection, a policy and training that would covered this type of situation. The ICO also found that Community Transport was retaining data for longer than was necessary for its work and they had no procedure or policy in place to address that, either. Finally, the ICO also found that data stored on portable devices was not being encrypted.
You can read the undertaking Community Transport signed here.