Out-Law News 1 min. read

British Council rapped over loss of sensitive data of 2,000 staff


Privacy Regulator the Information Commissioner's Office (ICO) has censured the British Council for losing the personal data of 2,000 staff. The ICO has made the Council sign a formal undertaking in which it promises to improve its data handling.

The Council lost an unencrypted computer disc containing information about the trade union membership of 2,000 staff and banking details, information the ICO said was 'sensitive personal information', and therefore protected under the Data Protection Act.

The disc was in transit when it was lost by a courier service which the ICO did not name. The ICO still held the Council responsible for the breach of the Act, though, because it said it was the lack of encryption that was the problem.

"The data controller did not take its own measures to safeguard the personal data it held on the disc, and in particular failed to ensure that the data was protected by the Government minimum standard of encryption," said the ICO's report on the issue. "The Commissioner has taken into account the fact that the personal data in question related to trade union membership and bank account details, and could therefore potentially result in significant distress being caused to the individuals concerned."

The ICO said that it would not issue an Enforcement Order against the British Council as long as it abided by the terms of a formal undertaking.

This bound the Council to take "all reasonable measures" to ensure the physical security of data, whether in its hands or those of third parties. It bound it to encrypt devices with any data on it whose loss might cause damage or distress to people.

The ICO said that it an important factor in its treatment of the issue was the fact that the Council came forward as soon as it discovered the loss.

"The British Council proactively reported the breach to the ICO and took immediate remedial action which demonstrates its understanding of the seriousness of this data loss," said Mick Gorrill, assistant information commissioner. "The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. The organisation also agrees to ensure that its policies on the transfer and sharing of personal information on portable devices are clear and compliant with government standards.”

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.