Rochdale Metropolitan Borough Council breached the Data Protection Act by losing an unencrypted memory stick containing the details of over 18,000 residents, the Information Commissioner’s Office (ICO) said.
The ICO watchdog has required the council to put changes in place and will check to ensure the improvements have been made.
The memory stick – which was lost in May and has not been recovered – included, in some cases, residents’ names and addresses, along with details of payments to and by the council. The device did not include any bank account details. The information had been put on a memory stick to compile the council’s financial accounts.
The ICO’s investigation found that the council’s data protection practices were insufficient – specifically that it failed to make sure that memory sticks provided to its staff were encrypted. The council also failed to provide employees with adequate data protection training. As well as requiring the council to put all of the changes in place by 31 March 2012, the ICO will follow up with the council to ensure that the agreed actions have been implemented.
Acting Head of Enforcement, Sally Anne Poole said: “Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people. Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that’s why we will follow up with the council, to ensure they’re doing everything they can to prevent this type of incident happening again.”
University Hospitals Coventry & Warwickshire NHS Trust breached the Data Protection Act by losing patients’ medical information on two separate occasions, the Information Commissioner’s Office (ICO) said.
In February, records relating to the treatment of 18 patients were found in a communal waste bin at a residential apartment block. The information had been taken home by a member of staff and accidentally disposed of in a public bin along with other rubbish.
In a second incident – which took place in May – a member of the public discovered details relating to a patient’s sensitive medical procedures and test results which were allegedly found in a bin outside Coventry University Hospital.
The ICO’s investigation found that the trust’s policies and procedures on the use of personal information were not sufficient. During the Commissioner’s investigation, concerns were also raised about the delivery and collection point for patient notes at one of the Trust’s hospitals.
Sally Anne Poole, Acting Head of Enforcement said: “The fact that the trust lost sensitive personal information on two separate occasions within the space of two months is clearly not acceptable. Organisations across the health service must recognise that they hold some of the most sensitive personal data available and that it must never be disposed of in the same way as routine household waste.”
The ICO has now ordered the trust to review its policies to make sure that personal information is adequately protected and disposed of. Staff will be trained to follow the trust’s updated guidelines and new procedures governing the handling of clinical data. The hospital will also carry out routine monitoring to ensure that procedures are being followed.
And: Newcastle Youth Offending Team breached the Data Protection Act by failing to encrypt a laptop containing personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.
The laptop – which contained personal data relating to 100 young people – was reported stolen from a contractor’s home in the Northumbria area in January. The contractor had been working on a youth inclusion programme on behalf of the Team. The majority of the personal data stored on the laptop included names, addresses, dates of birth and the name of the school the young person attended.
The ICO’s investigation found that, although Newcastle Youth Offending Team had a contract in place with the contractor, there was a failure to ensure that its employees were complying with necessary security measures.
Newcastle Youth Offending Team has stated that it will now take reasonable steps to ensure all data processors contracted to act on its behalf comply with the principles of the Act, including that all portable and mobile devices, including laptops, are encrypted.
Acting Head of Enforcement, Sally-Anne Poole, said: “Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure. But, to their detriment, not enough data handlers are making use of it. This case also highlights how important it is to ensure that watertight procedures are in place before any work is undertaken by contractors. Organisations shouldn’t simply assume that third parties will handle personal data in line with their usual standards. I’m pleased that Newcastle Youth Offending Team has learned lessons from this incident and hope that it encourages others to heed our advice.”
