Finance department loses unencrypted USB stick at Rochdale metropolitan Borough Council, UK

Rochdale Metropolitan Borough Council has signed a Data Protection underatking following the loss of an unencrypted memory device.

The Information Commissioner (the ‘Commissioner’) was provided with a report of the loss of an unencrypted USB memory stick containing personal data relating to several thousands of the data controller’s constituents. The USB stick had been used by an officer in the finance department to collate information required for the data controller’s final accounts for 2010/2011.

Enquiries revealed that much of the information on the USB stick was already available in the public domain. However, the Commissioner’s investigation also found that the data controller had not provided appropriate data protection training to staff, including the officer involved in this incident, and that its policies and procedures were in need of urgent review and updating. It was also discovered that the data controller did not provide staff with encrypted USB sticks, even where it was known that these would be used to process personal data.

The relevant provision of the Act is the Seventh Data Protection Principle. This Principle is set out in Schedule 1, Part I to the Act. To recap, the Data Protection Act says that appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

In practice, it means organizations must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. The data controller must exercise judgement about what is appropriate, although if a breach is referred to the Information Commissioner, he and his team will form a view of what is appropriate in the circumstances, and if a case went to a court, it is for the court to decide.

Under the Seventh Data protection principle organizations need to:

  • Design and organize security to fit the nature of the personal data held and the harm that may result from a security breach.
  • Be clear about who in the organization is responsible for ensuring information security.
  • Ensure the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff.
  • Be ready to respond to any breach of security swiftly and effectively.

As is common, the Commissioner will not serve an Enforcement Notice under section 40 of the Act, provided that the data controller undertakes the action set out below.

There is the standard opening condition that the data controller must ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act. Then some requirements which are more specific to this case are set out.

All portable and mobile devices including laptops, USB sticks and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, must be encrypted using encryption software which meets the current standard or equivalent.

The data controller must review and revise its policies and procedures with regard to the storage, processing, transmission and disposal of personal data, and information security by no later than 1 December 2011.

The revised policies and procedures referred to above must be brought to the attention of all staff, who will receive appropriate training to allow them to follow these policies in their day-to-day roles by no later than 31 March 2012.

Compliance with the data controller’s policies on data protection and IT security issues must be appropriately and regularly monitored.

Finally, there is a further standard requirement that the data controller must implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

This is an example of a frequent breach – the loss of an unencypted USB. The lessons are that all mobile devices must be adequately encrypted, there must be a carefully thought through Data Protection policy communicated to all staff involved, and there must be adequate training on Data Protection matters and the relevant policies and procedures.

Share

No comments yet.

Leave a Reply

Twitter widget by Rimon Habib - BuddyPress Expert Developer