Newcastle Youth Offending Team breached the Data Protection Act by failing to encrypt a laptop containing personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.
The laptop – which contained personal data relating to 100 young people and sensitive personal data on 10 people – was reported stolen from a contractor’s home in the Northumbria area in January. The contractor had been working on a youth inclusion programme on behalf of the Team. The majority of the personal data stored on the laptop included names, addresses, dates of birth and the name of the school the young person attended.
The ICO’s investigation found that, although Newcastle Youth Offending Team had a contract in place with the contractor, there was a failure to ensure that its employees were complying with necessary security measures.
Newcastle Youth Offending Team has stated that it will now take reasonable steps to ensure all data processors contracted to act on its behalf comply with the principles of the Act, including that all portable and mobile devices, including laptops, are encrypted.
Acting Head of Enforcement, Sally-Anne Poole, said:
“Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure. But, to their detriment, not enough data handlers are making use of it. This case also highlights how important it is to ensure that watertight procedures are in place before any work is undertaken by contractors. Organisations shouldn’t simply assume that third parties will handle personal data in line with their usual standards. I’m pleased that Newcastle Youth Offending Team has learned lessons from this incident and hope that it encourages others to heed our advice.”
Source: Information Commissioner’s Office
This is a point I’ve often made here and on phiprivacy.net – entities need to audit or ensure that their contractors or vendors are actually complying with the security protections specified in any contract. It’s not enough just to “trust” – you must verify.