ICO finds council in breach of the Data Protection Act over child data loss

The Information Commissioner’s Office (ICO) has taken remedial action against West Berkshire Council after finding in breach of the Data Protection Act following the loss of a USB data stick containing the sensitive personal information of children and young people.

The memory stick, which was unencrypted and not password protected, contained, among other things, information relating to the ethnicity and physical or mental health of the children.

The ICO found that unencrypted devices, in operation before the council introduced encrypted memory sticks in 2006, were still being used by members of staff. It also discovered that staff at the council had not received appropriate training in data protection issues and the monitoring of compliance with the council’s policies was found to be inadequate.

The chief executive of West Berkshire Council has signed a formal Undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted. Staff will also be made fully aware of the council’s policy for the storage of personal data and receive appropriate training on data protection and IT security issues.

Sally-anne Poole, Enforcement Group Manager at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children. A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands. I am aware that staff have been provided with encrypted USB sticks since 2006 but older devices were not recalled. I am pleased that the council has now taken action to prevent against further data breaches.”

Click here to read the full undertaking signed by West Berkshire Council

Click here for the ICO's guidance on data encryption