GLD Vacancies

ICO demands undertaking from children's charities after data breach

Two charity heads have signed undertakings with the Information Commissioners’ Office after it found they had failed to encrypt personal data on computers that were then stolen from their staff.

Sheffield-based Asperger’s Children and Carers Together (ACCT) and the Wheelbase Motor Project, in Nottingham, were both found to have breached the Data Protection Act by failing to encrypt sensitive information relating to young people.

ACTT reported the breach after a laptop that contained data on 80 children, including medication information and names and addresses, was stolen from an employee’s home in December 2010.
The breach at Wheelbase Motor Project was reported after a theft from its offices of a laptop that contained information including past criminal convictions on 50 young people.

ACTT director Deborah Woodhouse signed an undertaking to ensure that all portable and mobile devices used to store personal data will be encrypted. She also agreed to update data storage policies and train staff in following these.

The ICO said it did not think a financial penalty was appropriate because while some sensitive personal data was included, this was limited in nature and its disclosure would be unlikely to cause substantial distress to the subjects.

Michael Clifford, chief executive officer of Wheelbase Motor Project, signed an undertaking to encrypt all portable and mobile devices used to store sensitive personal information and to communicate the relevant policies to staff.

The ICO noted the stolen hard drive’s format was such that it would be incompatible with most desktop operating systems and that the files were password protected.

“As the sensitive personal data was limited in nature the commissioner considers the risk of serious damage and distress to individuals from unauthorised access to be nominal,” it said.

Acting ICO head of enforcement, Sally-Anne Poole said: “The ICO’s guidance is clear – any organisation that stores personal information on a laptop or other portable devices must make sure that the information is encrypted. “Information about young people’s medical conditions or criminal convictions is obviously sensitive and should have been adequately protected.”

The undertakings signed may be viewed here: http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings

LGL – ICO ruling – Mark Smulian

 

Two charity heads have signed undertakings with the Information Commissioners’ Office after it found they had failed to encrypt personal data on computers that were then stolen from their staff.

Sheffield-based Asperger’s Children and Carers Together (ACCT) and the Wheelbase Motor Project, in Nottingham, were both found to have breached the Data Protection Act by failing to encrypt sensitive information relating to young people.

ACTT reported the breach after a laptop that contained data on 80 children, including medication information and names and addresses, was stolen from an employee’s home in December 2010.

The breach at Wheelbase Motor Project was reported after a theft from its offices of a laptop that contained information including past criminal convictions on 50 young people.

ACTT director Deborah Woodhouse signed an undertaking to ensure that all portable and mobile devices used to store personal data will be encrypted.

She also agreed to update data storage policies and train staff in following these.

The ICO said it did not think a financial penalty was appropriate because while some sensitive personal data was included, this was limited in nature and its disclosure would be unlikely to cause substantial distress to the subjects.

Michael Clifford, chief executive officer of Wheelbase Motor Project, signed an undertaking to encrypt all portable and mobile devices used to store sensitive personal information and to communicate the relevant policies to staff.

The ICO noted the stolen hard drive’s format was such that it would be incompatible with most desktop operating systems and that the files were password protected.

As the sensitive personal data was limited in nature the commissioner considers the risk of serious damage and distress to individuals from unauthorised access to be nominal,” it said.

Acting ICO head of enforcement, Sally-Anne Poole said: “The ICO’s guidance is clear – any organisation that stores personal information on a laptop or other portable devices must make sure that the information is encrypted.

Information about young people’s medical conditions or criminal convictions is obviously sensitive and should have been adequately protected.”

 

The undertakings signed may be viewed here:

 

http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings