ICO fines council £80k in latest loss of unencrypted memory stick

North East Lincolnshire Council has become the latest public body to be hit with a large fine by the Information Commissioner after an unencrypted memory stick with sensitive data was lost.

The memory stick – containing information on 286 children with special educational needs – has been missing since 1 July 2011.

The device had been left in a laptop at North East Lincolnshire’s offices by an SEN teacher. When the teacher returned, the memory stick was gone. It has not been recovered.

The information on the memory stick included the children’s:

  • mental and physical health problems;
  • teaching requirements;
  • dates of birth; and
  • (in some cases) home addresses and information about their home life.

An internal report prepared by North East Lincolnshire concluded that the individuals affected would suffer ill-health because of the loss.

The council had introduced a policy of encrypting portable devices in April 2011. However, the ICO found that it had failed to make sure all memory sticks in use at the time by staff were encrypted.

North East Lincolnshire could not confirm to the ICO that the teacher concerned had received data protection at the time of the incident.

The ICO fined North East Lincolnshire £80,000.

The watchdog’s Head of Enforcement, Stephen Eckersley, said: “Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted.

“North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented.”

He added: “This breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people’s information is being looked after correctly.”

In October 2012 Greater Manchester Police was fined £150,000 by the ICO after the theft from an officer’s home of a memory stick containing details of more than 1,000 people with links to serious crime investigations compiled over an 11-year period. The memory stick had no password protection.

Read a blog by the ICO’s Group Manager for Technology, Simon Rice, on the importance of encryption  and the options available.