The Information Commissioner’s Office (ICO) has urged organisations to review their policies on how personal data is handled.
The call comes as the ICO issued a £150,000 civil monetary penalty to the Nursing and Midwifery Council for breaching the Data Protection Act.
The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children.
An ICO investigation found the information was not encrypted.
“It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again,” said David Smith, deputy commissioner and director of data protection.
“While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected,” he said.
Smith called on organisations to take the time today to check their policy on how personal information is handled.
It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again
David Smith, data protection
He said they should evaluate if the policy is robust enough, if it covers audio and video files containing personal information, and if it is being followed in every case.
“If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty,” said Smith.
The ICO found that the Nursing and Midwifery Council’s failure to ensure the discs were encrypted placed sensitive personal information at unnecessary risk.
No policy appeared to exist on how the discs should be handled, which meant no thought was given to whether they should be encrypted.
“Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty,” said Smith.
The penalty is the second to be issued by the ICO so far this year and comes barely a month after the privacy watchdog issued a monetary penalty of £250,000 against Sony Computer Entertainment Europe.