ICO criticises council after memory stick lost with details of 18,000 residents

The Information Commissioner’s Office has criticised a local authority over its “insufficient” data protection practices and for failing to provide adequate training to staff, after an unencrypted memory stick containing the details of more than 18,000 residents was lost.

The memory stick – which was used by an officer in the finance department as the authority compiled its accounts – was lost by Rochdale Metropolitan Borough Council in May.

It contained, in some cases, the names and addresses of residents, along with information on payments made to and by the council.

However, the device did not include bank account details and the ICO accepted that the incident was unlikely to have caused great distress to residents.

An investigation by the watchdog revealed that the council failed to make sure that memory sticks provided to staff were encrypted. The ICO also criticised Rochdale over its training arrangements, including for the officer concerned. The council’s policies and procedures were “in need of urgent review and updating”, it added.

Rochdale has agreed in an undertaking to put a number of changes in place by 31 March 2012, including the use of encryption software on all portable and mobile devices. The ICO plans to follow up with the council to ensure these agreed actions have been taken.

The watchdog’s Enforcement Group Manager, Sally Anne Poole, said: “Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place.

“Luckily, the information stored on the device was not sensitive and much of it is publicly available.”