Lost unencrypted USB stick costs council £80,000 data breach fine

Out-Law News | 29 Oct 2013 | 2:38 pm | 1 min. read

A local authority has been fined £80,000 by the UK's data protection watchdog after it lost an unencrypted memory stick containing sensitive data about children with special needs.

The Information Commissioner's Office (ICO) ruled that North East Lincolnshire (NEL) Council had been guilty of a serious breach of the Data Protection Act (DPA).

It is thought that data relating to around 286 pupils aged between five and 16 was stored on the memory stick lost by NEL Council. All of the pupils had "special educational needs" and some were deemed to be vulnerable children.

The memory stick contained details about the mental and physical health of the pupils and their teaching requirements as well as information about their home life, the ICO said.

An internal report by the Council had concluded that "the loss of the sensitive personal data is likely to lead to the ill-health of those affected through the disclosure of the data or due to a break in the services which they were receiving", according to the monetary penalty notice served by the ICO. (28-page / 183KB PDF) Individuals were not notified about the data breach and it has not been established whether the data stored on the memory stick has fallen into the hands of an untrustworthy third party, it said.

ICO head of enforcement, Stephen Eckersley, said in a statement: "Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted."

"North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented. This breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people’s information is being looked after correctly."

Under the DPA the ICO has the power to issue penalties of up to £500,000 for serious data breaches.

The Act requires organisations to take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" and requires organisations to be extra protective over sensitive personal data, such as information about individuals' health, due to the harm that can result from its unauthorised disclosure.