ICO Slams Rochdale For Data Loss

Rochdale Council has been found guilty of breaching the Data Protection Act by losing data on more than 18,000 residents, it has been revealed.

An investigation by the Information Commissioner’s Office (ICO) found that the loss, which occurred in May when a finance department employee at Rochdale Metropolitan Borough Council loaded the data onto an unencrypted memory stick and lost it, was the result of insufficient data protection practices.

Data still lost

The device, which has not been recovered, contained information already in the public domain including residents’ names, addresses and details of payments to and by the council, but no bank account details.

The Commission investigation found that that the council failed to provide employees with  adequate data protection training, and encrypted memory sticks, even where it was known that these would be used to process personal data. Despite this, the ICO has not served the council with an enforcement notice or fined it, but rather signed an undertaking of agreed actions to implement changes to its policies by 31 March 2012.

Unacceptable

“Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that’s why we will follow up with the council, to ensure they’re doing everything they can to prevent this type of incident happening again,” said acting head of enforcement, Sally Anne Poole .

“This was not an isolated incident,” adds Christian Toon, Head of Information Security Europe for Iron Mountain, “Other public sector organisations have recently been found guilty of being in breach of the Data Protection Act. Information on the move outside the company is always at risk unless it is properly encrypted and protected from human error.  This requires more than just technology; it requires the development and active implementation of robust information management policies, supported by staff training and self-regulation.”

The ICO has produced guidance on the security measures that organisations should have in place when storing personal information electronically.