The Information Commissioner’s Office (ICO) has decided not to impose fines on two charities after they failed to encrypt computer equipment that contained sensitive information about children and youngsters.
According to the ICO ruling the two charities, Sheffield-based charity Asperger’s Children and Carers Together (ACCT) and Nottingham-based charity Wheelbase Motor Project, were both guilty of breaching data protection rules.
The ACCT charity breached the rules when an unencrypted laptop, containing personal data relating to 80 children who attended its sessions, was stolen from a staff member’s home in December last year. The data was said to contain both medical information as well as the children’s names, addresses and dates of birth.
Meanwhile the second charity, Wheelbase Motor Project, also suffered a theft when an unencrypted hard drive was stolen from its offices. This drive contained personal information relating to 50 young people and included some details about past criminal convictions and child protection issues.
“The ICO’s guidance is clear – any organisation that stores personal information on a laptop or other portable devices must make sure that the information is encrypted. Information about young people’s medical conditions or criminal convictions is obviously sensitive and should have been adequately protected,” said acting head of enforcement, Sally-Anne Poole
“We are pleased that both charities have agreed to take the necessary steps to ensure that the personal information they hold is kept secure from now on,” she added.
The ICO has decided in these cases not to issue any fines.
Both Deborah Woodhouse, Director and Co-Founder of ACCT, and Michael Clifford, CEO of Wheelbase Motor Project, signed the usual undertakings to encrypt all portable devices that store sensitive personal information.
Encryption specialist ViaSatUK (formerly Stonewood) expressed its disappointment that the message about encryption is still not getting through to some organisations, despite many previous examples of data losses.
“Organisations holding sensitive data, particularly where the vulnerable and young are involved must protect it in every way possible, ensuring that at a very minimum laptops and USB sticks are encrypted, while also carrying out regular education programmes with staff,” he added.
Last month ViaSatUK accused the ICO of letting 99 percent of firms get away with data breaches, after it said that the ICO had acted on only one percent of the breaches reported to it. However the ICO has disputed ViaSatUK’s findings.
Certainly the ICO went through a period of not issuing any fines at all, despite discovering numerous acts of data loss. But in November, the ICO issued its first data loss fines to Hertfordshire County Council and employment agency A4e.
The ICO has the power to fine companies that breach data protection laws anything up to £500,000.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…