recent work

Council found guilty of losing children’s personal data

The Information Commissioner’s Office (ICO) has found West Berkshire Council in breach of the Data Protection Act (DPA) after the council lost an unprotected USB drive containing personal information on children, including details about ethnicity and physical and mental health.
The USB drive which was lost in March had been used by an employee for five years and was not encrypted or password protected.  It is understood that staff at the Council have been provided with encrypted USB sticks for the last four years but no process was in place to replace or protect older USB sticks.  The ICO also found that council staff had not received appropriate or sufficient training in data protection issues and that it had inadequate compliance monitoring policies in place.
Sally-Anne Poole, enforcement group manager at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.”
Nick Carter, chief executive of West Berkshire Council, has now signed a formal undertaking to ensure that all portable and mobile devices containing personal data are encrypted. The council will also provide training to staff on data protection and IT security issues.                                                                                                                                                                                                                                                     There have been a number of data breaches by involving children’s data by organisations over the past 12 months including Wigan Council, which lost an unprotected laptop containing information on over 40,000 children. C

Comment
In our work in professional sport, we come across many organisations that process the personal information of young and often vulnerable people in a range of education, health and sports coaching programmes and other fantastic schemes.  Many of our clients ask us to advise them on how to protect the data that they receive, process and store relating to young people, such as restricting access to database records, managing system generated reports, blocking data copying, encrypting portable media, and most importantly, implementing a systematic review of data processes to run periodic and documented health checks.  Being able to demonstrate that staff have had sufficient and adequate training in these matters is vitally important but often overlooked.