ICO Raps Scottish Charity For USB Data Breach

A Scottish charity has been reprimanded by the Information Commissioner’s Office (ICO) after two unencrypted memory sticks containing rafts of individuals’ data were stolen.

The data sticks belonging to Enable Scotland, which supports people with mental health issues, were taken from an employee’s home, leaving addresses, dates of birth and information relating to people’s health in the hands of the thieves.

Two USB sticks stolen

The ICO said the data should have been deleted as soon as it was uploaded to Enable’s servers, yet the charity had no specific guidance for home workers on how to handle information, or keep it secure.

Mobile devices used to store sensitive details were not encrypted as a rule either, an investigation found.

Yet the ICO did not believe Enable’s failings warranted a fine. The data protection watchdog said the exposed health data was not specific, but it was of concern that people’s names were linked to a charity that deals with mental health issues.

A spokesperson told TechWeek Europe that charities did not get special treatment: “It’s the same for every organisation. The only difference would be if we were to issue a monetary penalty, which we haven’t done for a charity yet. Part of our monetary penalty guidance takes into account the ability for an organisation to pay,” the spokesperson said.

“So if they were a charity and they were of limited means, then we would have to take that into account.”

Third sector bodies are treated the same as private companies by the ICO, so are not obliged to disclose breaches as public sector organisations are.

“We do see data breaches at charities, but it’s not a key concern at the moment for us,” the spokesperson added. “They will be handling potentially sensitive information, therefore we would expect them to inform us of breaches which do involve sensitive information.”

Enable has now signed an undertaking, agreeing to improve its practices. The organisation will ensure its mobile devices are encrypted and give workers guidance on data protection procedures.

“We are pleased that Enable Scotland has taken action to keep people’s information safe. However, this incident should act as a warning to all charities that they must ensure that personal information is handled correctly,” said Ken Macdonald, assistant commissioner for Scotland.

The most recent fine handed out by the ICO was handed to Cheshire East Council, after an email containing sensitive data was sent to the wrong recipients.

Is losing a USB the worst thing that can happen? Try our security quiz to find out.