News

ICO slaps three councils for data breaches

Ian Grant

Privacy watchdog the Information Commissioner's Office (ICO) has accepted undertakings to do better from three councils that breached the Data Protection Act.

The undertakings come days after the ICO was empowered to levy fines of up to £500,000 for data breaches.

A laptop stolen from St Albans City and District Council contained unencrypted postal voters' records as part of an election process in June 2009. The ICO found the data was password-protected but remained on the laptop when it was no longer required.

The laptop was left unsecured on a desk until it was discovered missing on 5 November 2009, along with three other council laptops.

The council undertook to train staff and contractors in security procedures, to encrypt laptops and other portable storage devices, and to apply physical security measures to prevent unauthorised access to them.

The ICO found Warwickshire County Council in breach of the Data Protection Act following the theft of two unencrypted and unsecured laptops and the loss of a memory stick. The devices held sensitive personal information relating to pupils and members of staff from two schools.

The council also lost an unencrypted memory stick that held a small amount of personal data relating to children at an education centre.

The ICO found the Highland Council breached the DPA after personal data, including data relating to the physical and mental health of several members of one family, was inadvertently disclosed to unrelated individual.

The incident occurred after several members of the two different families submitted subject access requests to the council at around the same time. The officer who usually dealt with these requests went on leave before the full responses had been sent, and the covering officer was unaware that there was more than one outstanding request from the same village.

The ICO's head of enforcement and investigations, Sally-Anne Poole, said encryption was essential when organisations stored large volumes of personal details on portable computers. "It is also crucial organisations don't keep personal information for longer than is necessary," she said.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy