The Information Commissioner’s Office has found two charities in breach of the Data Protection Act after the charities’ unencrypted laptops containing sensitive information were stolen.
Sheffield-based Asperger’s Children and Carers Together (ACCT) and Nottingham-based Wheelbase Motor Project (WMP), which works to educate hard-to-reach children, both reported breaches to the ICO after the laptops were stolen in separate incidents.
The medication information, names, addresses and dates of birth of 80 children were contained within the ACCT laptop which was stolen from an employee’s home in December last year. Details of the past convictions and child protection issues of 50 children were contained within the WMP laptop, which was stolen from the charity’s offices.
A spokesman for the ICO confirmed that neither laptop nor their hard drives had been recovered. "While we have no reason to suspect that the information has been used, there's nothing appearing online or elsewhere, we can't confirm that this is the case," he added.
No monetary penalty
The charities were both spared a monetary penalty. Since 6 April 2010 the ICO has had the power to impose a penalty of up to £500,000, but just five have been issued so far.
“In deciding whether a monetary penalty is justified we look at whether the information could cause substantial damage or distress,” said the spokesman.
The information contained in the charities’ laptops was not deemed to do so, he advised: “It was stuff that would be embarrassing but we look at whether or not it would cause any long-term damage. It’s also about the measures taken in policy and procedures. In these cases there were passwords to protect the information. But there was no encryption. We recommend encrypting any laptop containing sensitive information.”
Deborah Woodhouse, director and co-founder of ACCT and Michael Clifford, chief executive of WMP have signed undertakings to ensure that all portable devices storing personal data will be encrypted.
Woodhouse has also agreed to update existing policies and procedures for the storage of sensitive information and to ensure staff receive training on how to follow them, while Clifford has agreed to ensure WMP's existing policies are successfully communicated to staff and monitored.
Sally-Ann Poole, acting head of enforcement at the ICO, said:
“The ICO’s guidance is clear – any organisation that stores personal information on a laptop or other portable devices must make sure that the information is encrypted. Information about young people’s medical conditions or criminal convictions is obviously sensitive and should be adequately protected.
“We are pleased that both charities have agreed to take the necessary steps to ensure that the personal information they hold is kept secure from now on.”
