West Berkshire Council is taking remedial action after the Information Commissioner’s Office found it in breach of the Data Protection Act following the loss of a USB stick containing the sensitive personal information of children and young people.
The memory stick was unencrypted and not password protected. Its contents included information relating to the ethnicity and physical or mental health of the children. The ICO found that unencrypted devices, in operation before the council introduced encrypted memory sticks in 2006, were still being used by members of staff. Although the data controller had provided encrypted USB sticks since 2006, it had never previously required the return of unencrypted devices.
Further enquiries revealed staff had not received appropriate training in data protection issues and monitoring of compliance with the council’s policies was found to be inadequate. This is the second data security incident reported by West Berkshire Council within six months.
Nick Carter, Chief Executive of West Berkshire Council, has now signed a formal Undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted. Staff will also be made fully aware of the council’s policy for the storage of personal data and receive appropriate training on data protection and IT security issues.
The essential terms of the undertaking are as follows:
The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that:
(1) Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent;
(2) Staff are aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy;
(3) Compliance with the data controller’s policies on data protection and IT security issues is appropriately and regularly monitored;
(4) The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.