The Information Commissioner's Office (ICO) has served an £80,000 penalty to East Lincolnshire Council for losing sensitive data about hundreds of children with special educational needs.
The data went missing when a special educational needs teacher left an unencrypted memory stick containing the data unattended. She later returned to the computer to find the memory stick gone. The USB stick went missing in July 2011, and has never been recovered.
The data stored on the missing device included personal information about 286 local children. Details about their health, home environments and addresses were on the USB stick.
A report on the incident by East Lincolnshire Council confirmed many of the individuals affected would suffer ill health as a result of the data loss.
The council introduced a policy in April 2011 to ensure portable devices were encrypted, but it failed to ensure devices already in use prior to the policy met encryption guidelines.
More on data protection
- Data protection methods, define thyself
- Six security issues to tackle before encrypting cloud data
- Implement encryption controls for privacy assurance and compliance
- Mobile encryption practices to reduce security and compliance risks
ICO head of enforcement Stephen Eckersley said: “Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted. North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failed to make sure that staff were following the policy once it was finally implemented.”
Eckersley said other organisations should heed this as a warning of the consequences of failing to comply with data protection regulations.
Last month, the ICO warned small businesses to make sure they encrypt customer data after a sole trader in Wembley was fined for losing a password-protected but unencrypted hard disk containing personal and financial details of 250 customers.