WiredGov Newswire (news from other organisations)
Printable version E-mail this to a friend

ICO - Action taken after care provider lost unencrypted memory stick

A care provider with offices in Northern Ireland and the Isle of Man has taken action to improve its data protection practices following a joint ruling by the Information Commissioner’s Office (ICO) and the Office of the Data Protection Supervisor (ODPS) for the Isle of Man.

Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man in August 2011. Some of the information was sensitive and related to individuals’ care and mental health.

The device has not been recovered. However, Praxis has informed all affected individuals about the loss and no complaints have been received by the regulators.

The company has now committed to making sure that all portable devices used to store personal data are encrypted. Any personal information that is no longer needed will also be disposed of securely in line with the company’s updated data security guidance.

Christopher Graham, UK Information Commissioner, said:

“Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable. The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.

“The ICO will continue to work closely with other data protection regulators where it is clear that a data breach extends across national boundaries.”

Iain McDonald, Isle of Man Data Protection Supervisor, said:

“Today’s joint action aims to send a clear message to organisations that a lax attitude to data security will not be tolerated by either the ODPS or the ICO. We will continue to work with regulators in other countries to ensure that our residents’ personal information is protected.”

A further undertaking has also been signed by the Chartered Institute of Public Relations (CIPR). The undertaking – agreed with the ICO – follows the loss of up to 30 membership forms on a train in May. The organisation didn’t have a policy in place for handling personal data outside of the office at the time of the incident. The CIPR has now agreed to review its new data protection policy and make sure that it is communicated to staff by the end of February.

View all the ICO's data protection undertakings

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes 
  • Adequate, relevant and not excessive
  • Accurate and up to date 
  • Not kept for longer than is necessary 
  • Processed in line with your rights 
  • Secure 
  • Not transferred to other countries without adequate protection 

4. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter.

5. If you need more information, please contact the ICO press office on 0303 123 9070 or ico.gov.uk/press

Digital Transformation Doesn’t Exist