Leaving laptops containing customers’ personal details is a breach of Data Protection Act, Information watchdog says
Two organisations — the Association of School and College Leaders (ASCL) and Holly Park School in Barnet — breached the Data Protection Act by failing to encrypt personal information on laptops that were later stolen, the Information Commissioner’s Office (ICO) said.
The wathdog said that the ASCL breached the Data Protection Act in May 2011 when a laptop – containing sensitive personal data – was stolen from an employee’s home in Yorkshire.
At the time of the theft the laptop included unencrypted personal information relating to approximately 100 individuals, including details of their membership of the union and in some cases, details of their physical or mental health, said the ICO.
The ICO’s enquiries found that, while the laptop had encryption software installed on it, the decision on whether to encrypt individual documents was left to the employee.
The ICO said that Holly Park School in Barnet breached the Act when an unencrypted laptop was stolen from an unlocked office at the school on 1 May. The device contained details of pupils’ names, addresses, exam marks and some limited information relating to their health. After investigating the breach the ICO also discovered that the school had no data protection policy in place at the time of the theft.
The ICO said both organisations have now taken action to make sure the personal information they handle is protected. This includes ensuring that portable devices used to store personal data – including laptops – are appropriately encrypted. Both organisations will also introduce adequate checks to make sure their employees are following policies and procedures governing the secure use of personal information.
Acting Head of Enforcement Sally Anne Poole said all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. "This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily," added Poole.
"We are pleased that the Association of School and College Leaders and Holly Park School have taken action to make sure the personal information they collect remains secure."