recent work

County Council breaches Data Protection Act

A memory stick containing sensitive data relating to vulnerable adults has been lost by Cambridgeshire County Council, after a drive to switch to encrypted devices, and training on the importance of keeping personal information secure.

The loss occurred after a staff member had encountered problems with an encrypted memory stick that had been provided by the council free of charge, and so switched to an unencrypted version. The memory stick in question held information relating to six individuals.

The internal campaign run by the Council had promoted encryption policy, and staff were warned about the dangers of not using encrypted devices to store information.

Sally Anne-Poole, Enforcement Group Manager at the ICO, said:
“While Cambridgeshire County Council clearly recognise the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check their data protection policies are continually followed and fully understood by staff.
“We are pleased that Cambridgeshire County Council has taken action to improve its existing security measures and has agreed to carry out
regular and routine monitoring of its encryption policy to ensure it is being followed.”

As a result of the loss, Cambridgeshire County Council has signed a formal undertaking, “to ensure that all portable devices used by the council are encrypted using encryption software that meets the current standard”. The Council will also carry out regular monitoring procedures to ensure this doesn’t happen again.
To read the full undertaking, go to http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings now.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked, but even in the case of Cambridgeshire County Council, where they have taken active steps in managing risks to privacy, Absolute Data can help. Absolute Data can take any hassle away from an organisation, and hold training and seminars, document information, and carry out regular checks and reviews on an organisation’s behalf. For further information, please contact us now at info@absolute-data.co.uk.