A council is to take remedial action after losing a computer memory stick containing sensitive personal information about children and young people. The West Berkshire authority is acting after the Information Commissioner’s Office found it had breached the Data Protection Act.
Material on the USB stick, which was unencrypted and not password protected, included details of the ethnicity and physical or mental health of the children. The ICO found that unencrypted devices, in use before the council introduced encrypted memory sticks in 2006, were still being used by staff.
An investigation also found staff had not had appropriate training in data protection. Monitoring of compliance with the council’s policies was also judged to be inadequate. This was the second data security incident reported by West Berkshire within six months.
Nick Carter, the council’s Chief Executive, has now signed a formal undertaking that portable and mobile devices used to store and transmit personal data will be encrypted. Staff will also be made aware of the council’s policy for the storage of personal data and there will be relevant training on data protection and IT security issues.
Sally-Anne Poole, Enforcement Group Manager at the ICO, said it was essential that organisations ensured the right safeguards were in place for storing and transferring personal data, especially when it was sensitive information relating to children. “A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands. I am aware that staff have been provided with encrypted USB sticks since 2006 but older devices were not recalled. I am pleased that the council has now taken action to prevent against further data breaches,” she said.