The Information Commissioner’s Office has found two charities in breach of the Data Protection Act after they both had laptops stolen which contained unencrypted personal data. Asperger’s Children and Carers Together (ACCT) and Wheelbase Motor Project (WMP) owned laptops which were taken from the house of an employee and an office. They contained the personal information of 130 children, including their medication, criminal convictions, names, addresses and dates of birth.
Deborah Woodhouse, director and co-founder of ACCT and Michael Clifford, CEO of Wheelbase Motor Project have both now signed undertakings to ensure all personal data is encrypted in future and all staff understand their responsibilities under the Data Protection Act.
Sally-Anne Poole, acting head of enforcement, said:
“The ICO's guidance is clear – any organisation that stores personal information on a laptop or other portable devices must make sure that the information is encrypted. Information about young people's medical conditions or criminal convictions is obviously sensitive and should have been adequately protected.”
“We are pleased that both charities have agreed to take the necessary steps to ensure that the personal information they hold is kept secure from now on.”
Chris McIntosh, CEO of ViaSatUK, said:
“Clearly it is in no one's interests to fine charities for breaches of the data protection act, not least because the money comes from the public. However, it is disappointing that the message still does not seem to be getting through.”
“Organisations holding sensitive data, particularly where the vulnerable and young are involved must protect it in every way possible, ensuring that at a very minimum laptops and USB sticks are encrypted, while also carrying out regular education programmes with staff.”
Although Mr. McIntosh is correct in his assertion that fining the charities is not in the public interest, there must be a substantial form of punishment to ensure charities follow the Data Protection Act, otherwise this type of incident will be repeated again and again. Organisations must be held accountable when sensitive personal information gets lost or stolen.
Training and education about data protection matters are just not good enough - it is all very well signing up to do it better once the damage has been done. They should be ensuring the correct systems are in place from the outset.
Posted by: more DPA education | 31/05/2011 at 06:45 PM