Stolen council laptops contained sensitive information on pupils

The Information Commissioner’s Office (ICO) has found Warwickshire County Council in breach of the Data Protection Act (DPA) following the theft of two laptops and the loss of a memory stick.
The laptops, which were unencrypted and not physically secured or locked away, were stolen from council offices. They held sensitive personal information relating to a number of pupils and members of staff from two schools. The council also reported a separate incident to the ICO, involving the disappearance of an unencrypted memory stick holding a small amount of personal data relating to children attending an education centre.

Jim Graham, Chief Executive of Warwickshire County Council, has now signed a formal Undertaking to ensure that portable and mobile devices used to store and transmit personal data are encrypted. Staff will also be made fully aware of the council’s policy for storage of personal data. The council will implement other security measures as it deems appropriate to ensure that personal data is protected against unauthorised access.

Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when
it concerns sensitive information relating to children. A lack of awareness of data protection requirements can lead to personal information falling into the wrong hands. I am aware that staff were in the process of encrypting their portable devices in compliance with the Data Protection Act and I am pleased that the council will take action to prevent against security breaches in future.”

A full copy of the Undertaking can be viewed here:
http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx