Stoke-on-Trent city council breached the Data Protection Act after losing an unprotected memory stick containing the case details of vulnerable children in its care.
The council has now undertaken to improve the security of personal data held on portable media devices, following the loss of the USB memory stick containing sensitive personal information of 40 children.
The Information Commissioner’s Office (ICO) found the council had breached the Data Protection Act as a result of the loss, and pointed out that as the loss occurred before 6 April this year, the council had escaped the possibility of incurring a large fine.
After this date, the ICO was given the power to fine organisations up to £500,000 for "serious" breaches of the Data Protection Act.
The ICO was made aware of the breach after the memory stick, which was unencrypted and not password protected, was found by a member of the public in the Hanley area of the city.
It was returned to the council by the finder. Although there was a legitimate reason for the information being saved on the USB stick, said the ICO, the failure to encrypt it or use a password meant the information - which included court reports and details of care proceedings - was placed at "unnecessary risk".
The council has since taken steps to help ensure that personal data contained on portable devices is appropriately secured, including the use of encryption.
Sally Anne-Poole, enforcement group manager at the ICO, said, “This incident occurred before 6 April, so the powers now available to the Information Commissioner to issue penalties of up to £500,000 for serious breaches of the Data Protection Act could not be considered.”
Earlier this year, West Berkshire council was also found in breach of the Act by the ICO when it lost personal details of children on a USB stick.
West Berkshire had been using encrypted memory sticks since 2006, but it was discovered some staff had been using unprotected ones.
The lost one had been in use since 2005 by the member of staff concerned, and the loss occurred in March this year - again meaning there was no possibility of the ICO levying a big fine, despite it being the second data loss by the council in six months.