The Information Commissioner’s Office (ICO) has found the West Berkshire Council in breach of the Data Protection Act (DPA) after the council lost an unprotected USB drive containing personal information on children.
This is the second data security incident reported by the council within six months, although the ICO said that the first incident was resolved informally.
In the latest incident, the USB drive, which was not encrypted or password protected, contained a range of information on the children, including their ethnicity and details about their physical or mental health.
On investigation, the ICO found that although the council had introduced encrypted USB drives in 2006, some employees were still using unsecured devices. It also found that staff did not receive appropriate training in data protection issues and that the council did not have adequate compliance monitoring policies in place.
The unprotected device had been used by an employee in the council’s social work department since 2005, and was lost in March.
Nick Carter, chief executive of West Berkshire Council, has now signed a formal undertaking to ensure that all portable and mobile devices containing personal data are encrypted. The council will also provide training to staff on data protection and IT security issues.
Sally-Anne Poole, enforcement group manager at the ICO, said: “I am aware that staff have been provided with encrypted USB sticks since 2006, but older devices were not recalled.”
“It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.”
Councils have been responsible for a number of data breaches over the past 12 months, such as Wigan Council, which lost an unprotected laptop containing information on 43,000 children, and Manchester Council lost data on employees at local schools after the theft of two laptops.