A Scottish charity, Enable Scotland, has given an undertaking to take specific action to improve its compliance with the Data Protection Act 1998 (DPA) after two unencrypted memory sticks and papers containing the personal details of 101 people were stolen from the home of one of its employees. A laptop was also stolen, but this did not contain any personal data, was password protected and had software installed on it that allowed its usage to be tracked. No usage had been logged since it was stolen.
The data on the memory sticks included a limited amount of information relating to the health of the individuals concerned. Enable Scotland reported the incident to the Information Commissioner’s Office (ICO) and informed the people whose personal data had been lost.
The charity had in place a policy that information contained on memory sticks was to be deleted once it had been uploaded onto the charity’s server, but this had not been complied with. There was no policy in place covering working away from the office.
The ICO found that Enable Scotland had breached the seventh data protection principle, which is that an organisation must have appropriate security to prevent the personal data it holds being accidentally or deliberately compromised. The charity has therefore undertaken to ensure the following:
- Laptops used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent;
- Hard copy documentation is only removed from the office when absolutely necessary. It will contain the minimum amount of personal data required for its purpose and will be anonymised where possible;
- A specific policy is put in place to cover working away from the office. This should include provisions on the handling of both electronic and hard copy personal data;
- Staff are aware of the data controller’s policies for the retention, storage and use of personal data and are appropriately trained in how to follow those policies; and
- The data controller shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction and/or damage.
The ICO has guidance for charities on data handling. This includes a ‘TH!NK PRIVACY’ training toolkit to remind staff of their obligations in this respect as well as guidance on complying with data protection law when carrying out marketing activities.