Wigan Council has agreed to take action to comply with the Data Protection Act after the theft of a laptop computer containing personal information relating to about 43,000 children and young people.
The laptop included personal details on most children and young people in Wigan’s schools. The information had been downloaded on to the laptop in breach of council policy. Although the laptop was stored in a locked office, the data on the device was not protected as the laptop was not encrypted.
The Information Commissioner’s Office (ICO) found Wigan Council in breach of the Data Protection Act and Joyce Redfearn, Chief Executive at Wigan Council, has now signed an Undertaking confirming that the organisation will take a number of steps to improve data security. Sally-Anne Poole, Head of Enforcement at the ICO, said: “I strongly advise organisations to avoid instances where employees can download large volumes of personal information. This incident could have been averted if the data was simply accessed from the main council computer network. Storing large volumes of personal information on portable devices is unnecessarily risky. If personal details fall into the wrong hands, individuals can experience considerable distress. It is vital that personal information is handled securely, especially where so many children and young people are concerned. I am pleased that the council has taken action to guard against security breaches of this nature.”
Wigan Council has agreed to ensure that portable and mobile devices, including laptops and other portable media used to store and transmit personal data, are encrypted; and to train staff accordingly.
Similarly, Sandwell Metropolitan Borough Council has agreed to take action to comply with data protection principles and has signed an Undertaking to assure the ICO that personal data will be kept securely in future.
The ICO has found Sandwell Metropolitan Borough Council in breach of the Data Protection Act after an unencrypted memory stick was lost by an employee. The memory stick, which was not password protected, contained sensitive personal information relating to four families, including why children were taken into care or made subject to a Child Protection Plan. Alison Fraser, Chief Executive of Sandwell MBC has agreed to ensure that portable and mobile devices including laptops and other portable media used to store and transmit personal data are encrypted. Staff will be appropriately trained and made aware of the policy for the storage and use of personal information.
And NHS Education for Scotland (NES) has agreed to improve data security after it informed the ICO of a data breach involving the theft of an unencrypted laptop containing the personal information of 6377 applicants for medical training positions.
The information included names, addresses, phone numbers and summaries of the applicants, as well as monitoring information relating to equality and diversity. Malcolm Wright, Chief Executive of NES, has signed an Undertaking confirming that the organisation will take a number of steps to ensure personal information is kept safe and secure.
Ken Macdonald, Assistant Information Commissioner – Scotland, said: “Password protected laptops are not secure. I urge all organisations to restrict and encrypt the amount of personal information stored on portable devices that can be taken off site. In this case, the stolen laptop contained sensitive personal information including equality and diversity information. If personal details fall into the wrong hands, individuals can experience considerable distress. Safeguarding sensitive personal information is an important principle of the Data Protection Act. This case serves as a reminder that all organisations and their executive teams need to ensure that data protection is treated as an important part of corporate governance.”
