<h2>Hi</h2>

Scottish charity signs ICO undertaking following personal data theft

9 Mar 2012 04:04 PM
A Scottish charity - based in Glasgow - breached the Data Protection Act after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.

The information included peoples’ names, addresses and dates of birth, as well as a limited amount of data relating to the individuals’ health. The charity – Enable Scotland (Leading the Way) – promptly reported the incident to the ICO in November 2011 and informed those individuals affected.

The ICO’s investigation found that the information should have been deleted from the memory sticks once it had been uploaded onto the charity’s server. The charity had no specific guidance for home workers on keeping personal data secure, and portable media devices used to store sensitive personal information were not routinely encrypted.

Ken Macdonald, Assistant Commissioner for Scotland said:

“Organisations that use memory sticks to store personal information must make sure the devices are properly protected. Encrypting the data means that the information will remain safe even if the device is later lost or stolen. It is also important that employers provide home workers with guidance on how to keep any personal data taken outside of the office secure, as this is potentially when the information is most vulnerable.

“We are pleased that Enable Scotland has taken action to keep people’s information safe, however this incident should act as a warning to all charities that they must ensure that personal information is handled correctly.”
 
Peter Scott, Chief Executive of Enable Scotland, has now signed an undertaking, committing the charity to improving its compliance with the Data Protection Act. This includes making sure laptops used to store sensitive personal data are encrypted. Hard copy files will only be removed from the office when absolutely necessary and will contain the minimum amount of personal data required. Guidance will also be provided to home workers, to ensure that any personal data taken outside of the office is kept secure.

View the Enable Scotland undertaking
Read all the data protection undertakings

The ICO has produced guidance for charities which explains how they can comply with the Data Protection Act.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

5. If you need more information, please contact the ICO press office on 0303 123 9070 or ico.gov.uk/press.