ICO Raps Local Council Over Lost Memory Stick

The Information Commissioner’s Office (ICO) has found Cambridgeshire County Council to be in breach of the Data Protection Act, after it lost a memory stick containing sensitive data relating to vulnerable adults.

The incident came to light last November when the ICO was informed that a council worker had lost the unencrypted memory stick that contained the personal details of at least six people. The stick reportedly contained case notes and minutes of meetings relating to the individuals’ support.

It seems that human error was to blame, as the information was apparently saved on an unapproved memory stick, after the worker experienced difficulties using the official encrypted memory stick that the council had provided free of charge.

Human Error

This seems to be very unfortunate timing, as the breach occurred shortly after the council had undertaken an internal campaign aimed at promoting its encryption policy. Workers had been asked to hand over their unencrypted devices and were actually warned about the importance of keeping personal information secure.

“While Cambridgeshire County Council clearly recognise the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check their data protection policies are continually followed and fully understood by staff,” said Sally Anne-Poole, Enforcement Group Manager at the ICO.

“We are pleased that Cambridgeshire County Council has taken action to improve its existing security measures and has agreed to carry out 12 regular and routine monitoring of its encryption policy to ensure it is being followed.”

Perhaps because the loss was a result of the misguided actions of a staff member against existing guidelines, the ICO chose not to issue a financial penalty. Indeed, Mark Lloyd, Chief Executive of Cambridgeshire County Council has signed a formal undertaking to ensure that all portable devices used by the council are encrypted using encryption software that meets the current standard.

Slap On Wrist

The council has also agreed to carry out regular monitoring of its data protection policies and IT security measures in order to ensure that they are being followed by all staff.

“What is clear is that in Cambridge County Council’s case, the loss wasn’t a failure on the part of security strategy, but rather one of employee education,” said Chris McIntosh, CEO of encryption specialists Stonewood. “An organisation can have the best security technology and protocols in the world, but without an educated workforce they’re worthless. Employees must be fully aware not only of how to handle data, but also of the potential consequences and ways to avoid them. If these are not fully understood, then the employee,  the organisation and, in this case, a number of vulnerable adults will pay the price.”

“It is not enough to simply give employees an initial introduction to security,” he added. “Organisations must provide continuous support to anticipate problems and prevent situations like this before they occur in the first place. For example, in this case an educated employee would have made the council aware of problems with their encrypted device, rather than simply using an unsecure replacement. There will always be a chance of human error in IT security; the job of the organisation is to make sure that its employees are educated on these risks and that policies are enforced.”

Indeed, the slap on the wrist and public naming and shaming of Cambridgeshire County Council is in marked contrast to the ICO’s more recent tougher approach with local councils over data protections issues.

Earlier this month for example the ICO fined two local councils, for failing to ensure its laptops were encrypted. Ealing Council was hit with a £80,000 fine, whereas Hounslow Council was charged £70,000.

And last November, the ICO ordered Hertfordshire County Council to pay a fine of £100,000 for revealing details of a sex abuse case to a member of the public. Meanwhile employment agency A4e was also fined £60,000 for losing a laptop which contained the unencrypted details of thousands of people.

Financial Penalities

The Hertfordshire County Council and A4e were the first fines that the ICO had ever issued and came after a period where it seemed as though the ICO preferred issuing public dressing downs of culprits to handing out financial penalties.

This was despite the ICO discovering numerous acts of data loss.

Certainly the ICO seems to have been getting a lot tougher of late. In October last year the ICO was attacked by a Tory MP over the way it handled the Google WiSpy incident.

Conservative MP Robert Halfon labelled the ICO’s lack of action over Google as “lamentable”, but the Information Commissioner Christopher Graham vigoriously defended the actions of the ICO and its decision not to hit Google with a fine.