Font Size

Laptop thefts highlight the need for encryption

 By

The Information Commissioner’s Office

Legal Articles
Submit Articles   Back to Articles

Issued on 5 October 2011 - ICO

Two organisations have taken action after they breached the Data Protection Act by failing to encrypt personal information on laptops that were later stolen, the Information Commissioner’s Office (ICO) said today.

The Association of School and College Leaders (ASCL) breached the Data Protection Act in May 2011 when a laptop - containing sensitive personal data - was stolen from an employee’s home in Yorkshire. The ICO’s enquiries found that, while the laptop had encryption software installed on it, the decision on whether to encrypt individual documents was left to the employee. At the time of the theft the laptop included unencrypted personal information relating to approximately 100 individuals, including details of their membership of the union and in some cases, details of their physical or mental health.

In a similar incident, Holly Park School in Barnet breached the Act when an unencrypted laptop was stolen from an unlocked office at the school on 1 May. The device contained details of pupils’ names, addresses, exam marks and some limited information relating to their health. After investigating the breach the ICO also discovered that the school had no data protection policy in place at the time of the theft.

Acting Head of Enforcement, Sally Anne Poole said:

“The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress - must be encrypted. This is one of the most basic security measures and is not expensive to put in place - yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.

“We are pleased that the Association of School and College Leaders and Holly Park School have taken action to make sure the personal information they collect remains secure.”

Both organisations have now taken action to make sure the personal information they handle is protected. This includes ensuring that portable devices used to store personal data – including laptops - are appropriately encrypted. Both organisations will also introduce adequate checks to make sure their employees are following policies and procedures governing the secure use of personal information.

A full copy of both undertakings can be viewed here:

http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings

The ICO has produced guidance on the security measures that organisations should have in place when storing personal information electronically. A copy of the guidance can be found here:

http://www.ico.gov.uk/for_organisations/data_protection/security_measures.aspx

Notes 

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  1. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  1. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter
  1. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

About the Author

The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. We do this by promoting good practice, ruling on complaints, providing information to individuals and organisations and taking appropriate action when the law is broken.

The ICO enforces and oversees the following legislation:

  •  Data Protection Act 1998
  •  Freedom of Information Act 2000
  •  Privacy and Electronic Communications Regulations 2003
  •  Environmental Information Regulations 2004


Follow us @Scopulus_News

Article Published/Sorted/Amended on Scopulus 2011-10-09 02:30:01 in Legal Articles

All Articles

Copyright © 2004-2020 Scopulus Limited. All rights reserved.