From the Information Commissioner’s Office:
The ICO has fined a historical society after a laptop containing sensitive personal data was stolen whilst a member of staff was working away from the office. The laptop, which wasn’t encrypted, contained the details of people who had donated artefacts to the society. An ICO investigation found the organisation had no policies or procedures around homeworking, encryption and mobile devices which resulted in a breach of data protection law.
It’s not clear to me why so much of the monetary penalty notice has been redacted by the ICO’s office, including the date of the incident and the number of individuals who had data on the stolen laptop. Was a royal involved or something? Is this the Royal Historical Society?
Why is this entity being given treatment that other entities haven’t received? The redacted version appears inconsistent with other monetary penalty notices that at least tell us what kinds of information were at risk and how many people had information at risk. The ICO’s statement says:
“The personal information in this case was so sensitive we can’t give out details of the breach. The historical society knew of the potential consequences of losing the sensitive information and should have taken measures to secure the data.”
Really? They can’t even say when it occurred or how many people had information at risk?
In any event, after all that, the fine is £500, but £400 if it’s paid off early.