Cambridgeshire CC breaches data protection laws but avoids monetary penalty

Cambridgeshire County Council has avoided a monetary penalty despite the Information Commissioner’s Office finding that the authority had breached the Data Protection Act by losing a memory stick containing sensitive data relating to vulnerable adults.

The council told the watchdog in November 2010 about the incident, which saw an employee lose an unencrypted memory stick containing personal data relating to a minimum of six individuals. The stick included case notes and minutes of meetings relating to the individuals’ support.

The employee had saved the information on an unapproved memory stick after encountering problems with an encrypted memory stick provided by Cambridgeshire.

The incident also occurred after the council had conducted an internal campaign promoting its encryption policy. Cambridgeshire had asked its employees to hand in unencrypted devices and warned them about the importance of keeping personal information secure.

The council has now signed a formal undertaking agreeing to improve its existing security measures and to carry out regular monitoring.

Sally Anne Poole, Enforcement Group Manager at the ICO, said the case showed that organisations needed to check their data protection policies were continually followed and fully understood by staff.

She added: “We are pleased that Cambridgeshire County Council has taken action to improve its existing security measures and has agreed to carry out regular and routine monitoring of its encryption policy to ensure it is being followed.”

The ICO has so far levied substantial monetary penalties on three local authorities – Hertfordshire County Council, Ealing Council and Hounslow Council – for breaches of the DPA since it was given new powers in April 2010.

However, the watchdog decided against levying a monetary penalty against Cambridgeshire.

An ICO spokesman said the steps taken by the county council prior to the incident would have been taken into account in its decision.

He added: “With regards to a fine, there has to have been shown either a complete disregard for the Data Protection Act or negligent action. With Cambridgeshire County Council, they had an existing policy in place and had conducted an internal campaign. They had also provided encrypted devices free-of-charge to staff. They had gone that extra mile if you like.

"The reason they breached the Act was that the member of staff was provided with an encrypted memory stick but couldn't work it – either the memory stick was damaged or the individual just didn't understand the technicalities of how it worked.

“We wouldn’t normally fine someone when they have taken such steps because it shows that they are aware of the Act and they have taken the necessary precautions. However, what the undertaking says is that they can make improvements. It's not the fact that they haven't got a policy or that the policy is fundamentally flawed, it's the fact that they can improve this policy but we do recognise that they have a fairly strong policy in place."

The spokesman added: "There’s always that slim chance – it only takes one member of staff on any one day to breach the policy and this case really just highlights that fact.”