posted on March 27, 2012 15:52
Theft of memory sticks lead to charity breach of Data Protection Act
Learning disability charity Enable Scotland has had to sign an undertaking promising to improve its data security after two unencrypted memory sticks and papers containing the personal details of around 100 individuals were stolen from an employee’s home. The stolen information included people’s names, addresses and birthdays, along with some data relating to their health.
Immediately after the theft occurred in November last year, the charity confessed to the Information Commissioner’s Office (ICO) and informed the people affected. The ICO investigated and found the charity had breached the Data Protection Act by not deleting the records from the memory sticks once they had been transferred to the charity’s server. It also found the charity had no specific guidance for home workers on keeping personal data secure, and no policy for ensuring encryption of portable media devices carrying sensitive information. However, there was no evidence that the information had been inappropriately accessed, the ICO said.
The ICO did not deem the breach to be serious enough to warrant a fine, but did insist that Enable Scotland’s CEO Peter Scott sign an undertaking committing the charity to improving its performance with the Act.
Actions to be taken include ensuring laptops are encrypted, only removing hard copy files from the office when absolutely necessary and providing guidance to home workers on keeping data secure.
Ken Macdonald, assistant information commissioner for Scotland, said the incident “should act as a warning to all charities that they must ensure that personal information is handled correctly”.