The Information Commissioner has found Skipton Financial Services (SFS) in breach of the Data Protection Act following the theft of an unencrypted laptop containing the personal information of 14,000 SFS customers.
The machine which, was reported lost in December 2007, held dates of birth, national insurance numbers and investment amounts, and was stolen from an SFS contractor working for Moore Stephens Consulting Ltd.
The Information Commissioner’s Office said that Skipton should have used encryption to keep the data safe, but it is taking no action against the organisation for the security breach.
Instead it has agreed an undertaking with the financial services organisation over future security standards.
Sensitive information on laptops used by SFS staff or contractors must be encrypted in future and the organisation will also carry out risk assessments where third parties are processing data on its behalf.
Mick Gorrill, Assistant Commissioner at the ICO, said: "It is not always possible to prevent the theft of mobile devices such as laptops, but it is possible to minimise the damage caused by such losses.
“Companies must introduce adequate security procedures and safeguards, for example password protection and encryption, to protect personal information before it is allowed to leave the premises on a laptop. The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act.
“Organisations which process personal information must ensure that information is secure – this is an important principle of the Act. If organisations fail to introduce safeguards to protect information they risk losing the trust and confidence of both employees and customers.”
Simon Holt, managing director of SFS said, “The swift actions we took to protect our client data have been recognised by the Information Commissioner’s Office (ICO). It accepted the explanation provided by SFS and consequently agreed to our voluntary undertakings.”
Over two months since the laptop theft, there is no evidence whatsoever to us to suggest any misuse of this data by a third party, he added...
The government last year said the ICO would be given increased powers to conduct spot checks of government departments. The Information Commissioner wants these powers to be extended to cover all public bodies and private sector organisations.