ICO says laptop thefts highlights need for encryption

Two schools get rap on the knuckles after thefts of laptops with unencrypted data
Kerry Butters

October 6, 2011

The Information Commissioner’s Office (ICO) have forced two organisations to take action after they breached the Data Protection Act by failing to ensure personal information was encrypted.

In both instances, laptops were stolen which contained sensitive information relating to pupils and other individuals.

In May of this year the Association of School and College Leaders had a laptop stolen from an employee’s home in Yorkshire.

Whilst the machine had encryption software installed, it was left up to individual employees whether or not to encrypt certain documents.

This led to unencrypted documents on around 100 people accessible to thieves, which included details on their union membership and in some instances, their physical and mental health.

In another incident, Holly Park School had a laptop stolen from an unlocked office in the same month.

The laptop had information stored on it about the school’s pupils, including exam marks, addresses and “some limited information relating to their health.”

During an investigation into the theft, the ICO found that not only did the school not encrypt the information, but they also had no data protection policy in place.

Both organisations have now taken action to ensure that the data they hold is protected in the future.

Acting Head of Enforcement, Sally Anne Poole said: “The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress - must be encrypted.”

“This is one of the most basic security measures and is not expensive to put in place - yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.”

“We are pleased that the Association of School and College Leaders and Holly Park School have taken action to make sure the personal information they collect remains secure.”

The organisations have not only taken steps to ensure data is encrypted, but have also introduced checks designed to make sure employees follow the correct procedure.

The ICO is a governing body that ensures that data which is held by any organisation is done so in a responsible manner, in line with the guidelines.

These include stipulations that data is accurate, up-to-date and not excessive, as well as not kept for longer than is necessary.

The guidelines also state that information must be properly processed, secure and “not transferred to other countries without adequate protection.”


Post a comment

Your email address will not be published. Required fields are marked *

Visited 1878 times, 1 so far today