Warwickshire County Council has been found in breach of the Data Protection Act (DPA) by the Information Commissioner’s Office (ICO) after two laptops were stolen.
The laptops, which were unencrypted and not physically secured or locked away, contained sensitive personal information on pupils and staff from two schools. They were stolen in August 2009 and an investigation revealed that the council was in the process of encrypting portable devices at the time.
In a separate incident, the council reported the loss of an unencrypted memory stick from the administration office of an education centre in September 2009. This held a small amount of personal data about children attending the centre.
Jim Graham, chief executive of Warwickshire County Council, has now signed a formal undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted. Staff will also be made aware of the council’s policy for storage of personal data, and be trained to comply with the policy. Furthermore, the council will implement other security measures to protect personal data.
Sally-Anne Poole, head of enforcement and investigations at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.”
Separately, on Monday, Barnet Council in London wrote to parents in the borough alerting them to a burglary that had resulted in the loss of sensitive data on 9,000 children.
According to the council, a member of staff was burgled at home earlier this month, and items stolen included council computer equipment, CDs and memory sticks. Although the confidential information on the computer equipment has been protected by encryption, the CDs and memory sticks were not.
"This was a clear breach of our policies and the member of staff concerned has been suspended," Nick Walkley, chief executive of Barnet Council, wrote.
The information that has been stolen relates to children in year 11 at Barnet schools from 2007 to 2009. This information included children’s names, dates of birth, addresses and mode of travel to school.
Walkley insisted, however: "We have examined all the data that has been taken and we believe that there is a very low risk that there will be any impact on the individuals it relates to."
Since the theft, Barnet Council said it had made software changes to prevent staff saving data onto unsecure memory devices and CDs and ensured that every council computer used off-premise is securely encrypted. It has also ordered an independent enquiry into the incident and how the council protects confidential information.