ICO issues third fine for loss of unencrypted laptops

Out-Law News | 10 Feb 2011 | 12:29 pm | 1 min. read

Two local authorities have been fined a total of £150,000 by data protection watchdog the Information Commissioner after the theft of two laptops which, contrary to the councils' policies, were not encrypted.

The Information Commissioner's Office (ICO) has fined Ealing Council £80,000 and Hounslow Council £70,000 because the unencrypted laptops contained sensitive personal information relating to 1,700 people.

Ealing Council provides an out of hours service for both authorities, a service that depends on nine people working from home. Two laptops were stolen from one of these employee's homes, and though the computers were password-protected they were not encrypted.

The computers contained data about 1,000 clients of Ealing Council and 700 of Hounslow Council.

Both laptops were password protected but unencrypted – despite this being in breach of both councils’ policies," said an ICO statement. "Ealing Council breached the Data Protection Act by issuing an unencrypted laptop to a member of staff in breach of its own policies. This method of working has been in place for several years and there were insufficient checks that relevant policies were being followed or understood by staff."

"Hounslow Council breached the Act by failing to have a written contract in place with Ealing Council. Hounslow also did not monitor Ealing Council’s procedures for operating the service securely," it said.

The ICO said that there was no evidence that the thefts had resulted in use of the sensitive information, but ICO deputy commissioner David Smith said that organisations had to work harder to protect computers and the information on them.

"Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops," said Smith. "Where personal information is involved, password protection for portable devices is simply not enough."

“The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected," he said.