WIREDGOV

The Information Commissioner’s Office (ICO) has served North East Lincolnshire Council with a monetary penalty of £80,000 after a serious data breach resulted in the sensitive information of hundreds of children with special educational needs being lost.

The information was stored on an unencrypted memory stick and has been missing since the 1 July 2011 when the device was left in a laptop at the council’s offices by a special educational needs teacher. When the teacher returned to the laptop the memory stick was gone and it has never been recovered.

The device contained sensitive personal information about the 286 children who attended local schools, including information about their mental and physical health problems and teaching requirements. The device also included the pupils’ dates of birth and some included details of their home addresses and information about their home life.

The ICO’s investigation considered an internal report carried out by the council into the incident, which confirmed that the individuals affected would suffer ill-health due to the loss. While the council had introduced a policy of encrypting portable devices in April 2011, it failed to make sure all of the memory sticks currently being used by staff were encrypted. The council was also unable to confirm if the teacher had received data protection training at the time of the loss.

ICO Head of Enforcement, Stephen Eckersley, said:

“Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted.
North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented.

“This breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people’s information is being looked after correctly.”

The ICO’s Group Manager for Technology, Simon Rice, has published a blog explaining the importance of encryption and the options available to organisations that need to encrypt their data.

The ICO has also published best practice advice for schools explaining the key issues they need to be aware of when processing people’s information. The guidance was developed after the ICO received feedback from 400 schools on their compliance with the Data Protection Act.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

5. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.

6. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).

7. If you need more information, please contact the ICO press office on 0303 123 9070.