Laptop thefts and data protection
The Information Commissioner’s Office (ICO) has reiterated its guidance to organisations to ensure that personal data stored on electronic devices is encrypted if the information would cause damage or distress if the records were lost or stolen.
Under the Data Protection Act (the Act) organisations must take “appropriate technical and organisational measures” to protect against “unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data”.
The announcement follows the disclosure that in May this year, the Association of School and College Leaders (ASCL) breached the Data Protection Act when a laptop, containing sensitive personal data, was stolen from an employee’s home in Yorkshire. The ICO’s enquiries found, that while the laptop had encryption software installed on it, the decision on whether to encrypt individual documents was left to the employee. At the time of the theft the laptop included unencrypted personal information relating to approximately 100 individuals, including details of their membership of the union and in some cases, details of their physical or mental health.
In a similar incident, Holly Park School in Barnet breached the Act when an unencrypted laptop, containing details of pupils’ names, addresses, exam marks and some limited information relating to their health, was stolen from an unlocked office at the school.
Referring to the incidents, the ICO’s Acting Head of Enforcement, Sally Anne Poole said: “The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us”.
With the ICO having the power to fine organisations up to £500,000 for the most serious breaches of the Data Protection Act, as well as the risk of claims from individuals whose personal data has been lost, it is important that organisations look carefully at their information security arrangements.
Reviewed in 2015