ICO Slaps Two Charities Over Data Breaches

The Information Commissioner’s Office (ICO) has decided not to impose fines on two charities after they failed to encrypt computer equipment that contained sensitive information about children and youngsters.

According to the ICO ruling the two charities, Sheffield-based charity Asperger’s Children and Carers Together (ACCT) and Nottingham-based charity Wheelbase Motor Project, were both guilty of breaching data protection rules.

The ACCT charity breached the rules when an unencrypted laptop, containing personal data relating to 80 children who attended its sessions, was stolen from a staff member’s home in December last year. The data was said to contain both medical information as well as the children’s names, addresses and dates of birth.

Mandatory Encryption

Meanwhile the second charity, Wheelbase Motor Project, also suffered a theft when an unencrypted hard drive was stolen from its offices. This drive contained personal information relating to 50 young people and included some details about past criminal convictions and child protection issues.

“The ICO’s guidance is clear – any organisation that stores personal information on a laptop or other portable devices must make sure that the information is encrypted. Information about young people’s medical conditions or criminal convictions is obviously sensitive and should have been adequately protected,” said acting head of enforcement, Sally-Anne Poole

“We are pleased that both charities have agreed to take the necessary steps to ensure that the personal information they hold is kept secure from now on,” she added.

The ICO has decided in these cases not to issue any fines.

Both Deborah Woodhouse, Director and Co-Founder of ACCT, and Michael Clifford, CEO of Wheelbase Motor Project, signed the usual undertakings to encrypt all portable devices that store sensitive personal information.

Industry Frustation

Encryption specialist ViaSatUK (formerly Stonewood) expressed its disappointment that the message about encryption is still not getting through to some organisations, despite many previous examples of data losses.

“Clearly it is in no one’s interests to fine charities for breaches of the data protection act, not least because the money comes from the public,” said CEO Chris McIntosh. “However, it is disappointing that the message still does not seem to be getting through.”

“Organisations holding sensitive data, particularly where the vulnerable and young are involved must protect it in every way possible, ensuring that at a very minimum laptops and USB sticks are encrypted, while also carrying out regular education programmes with staff,” he added.

Last month ViaSatUK accused the ICO of letting 99 percent of firms get away with data breaches, after it said that the ICO had acted on only one percent of the breaches reported to it. However the ICO has disputed ViaSatUK’s findings.

Certainly the ICO went through a period of not issuing any fines at all, despite discovering numerous acts of data loss. But in November, the ICO issued its first data loss fines to Hertfordshire County Council and employment agency A4e.

The ICO has the power to fine companies that breach data protection laws anything up to £500,000.