Laptop thefts highlight the need for encryption
Submit Articles Back to Articles
on 5 October 2011 - ICO
organisations have taken action after they breached the Data Protection
Act by failing to encrypt personal information on laptops that were
later stolen, the Information Commissioner’s Office (ICO) said today.
Association of School and College Leaders (ASCL) breached the Data
Protection Act in May 2011 when a laptop - containing sensitive
personal data - was stolen from an employee’s home in Yorkshire. The
ICO’s enquiries found that, while the laptop had encryption software
installed on it, the decision on whether to encrypt individual
documents was left to the employee. At the time of the theft the laptop
included unencrypted personal information relating to approximately 100
individuals, including details of their membership of the union and in
some cases, details of their physical or mental health.
In a similar
incident, Holly Park School in Barnet breached the Act when an
unencrypted laptop was stolen from an unlocked office at the school on
1 May. The device contained details of pupils’ names, addresses, exam
marks and some limited information relating to their health. After
investigating the breach the ICO also discovered that the school had no
data protection policy in place at the time of the theft.
of Enforcement, Sally Anne Poole said:
guidance is clear: all personal information – the loss of which is
liable to cause individuals damage and distress - must be encrypted.
This is one of the most basic security measures and is not expensive to
put in place - yet we continue to see incidents being reported to us.
This type of breach is inexcusable and is putting people’s personal
information at risk unnecessarily.
pleased that the Association of School and College Leaders and Holly
Park School have taken action to make sure the personal information
they collect remains secure.”
organisations have now taken action to make sure the personal
information they handle is protected. This includes ensuring that
portable devices used to store personal data – including laptops - are
appropriately encrypted. Both organisations will also introduce
adequate checks to make sure their employees are following policies and
procedures governing the secure use of personal information.
A full copy
of both undertakings can be viewed here:
The ICO has
produced guidance on the security measures that organisations should
have in place when storing personal information electronically. A copy
of the guidance can be found here:
- The Information Commissioner’s Office upholds information
rights in the public interest, promoting openness by public bodies and
data privacy for individuals.
- The ICO has specific responsibilities set
out in the Data Protection Act 1998, the Freedom of Information Act
2000, Environmental Information Regulations 2004 and Privacy and
Electronic Communications Regulations 2003.
- The ICO is on Twitter, Facebook
and produces a monthly e-newsletter.
- Anyone who processes personal information
must comply with eight principles of the Data Protection Act, which
make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate
About the Author
The Information Commissioner’s Office is the UK’s
independent authority set up to uphold information rights in the public
interest, promoting openness by public bodies and data privacy for
individuals. We do this by promoting good practice, ruling on
complaints, providing information to individuals and organisations and
taking appropriate action when the law is broken.
The ICO enforces and oversees the following
- Data Protection Act 1998
- Freedom of Information Act 2000
- Privacy and Electronic Communications
- Environmental Information Regulations
Follow us @Scopulus_News
Article Published/Sorted/Amended on Scopulus 2011-10-09 02:30:01 in Legal Articles
All ICO Articles