Charities reminded about secure handling of personal information after ICO finds Alzheimer's Society to be in breach of the Data Protection Act
The Information Commissioner's Office (ICO) has reminded charities that personal information must be handled securely after finding the Alzheimer's Society in breach of the Data Protection Act.
The Alzheimer's Society reported three separate breaches involving personal information to the ICO during 2009. This included several unencrypted laptops that were stolen during a burglary at their office in Cardiff last August, which included the names, addresses, national insurance numbers and salary details of around 1,000 staff across England, Wales and Northern Ireland.
Sally-Anne Poole, head of investigations at the ICO, said: “It is vital that all organisations ensure personal information is handled securely and that appropriate staff have adequate training in this area. We are aware that the laptops were due to be encrypted and I am pleased that the Alzheimer's Society has taken action to guard against security breaches of this nature in future.”
Ewen Anderson, managing director of Centralis, said: “Information security is determined at an organisational level. If the system allows you to download such information people probably will because having it locally is just more convenient for them.
“Simply preventing it isn't the answer either – you have to balance restrictions with flexible access to systems and data which means you can access what you need from anywhere, but can't save it to laptops without authorisation and proper controls.
“Organisations will, and should, become increasingly risk averse, to the point where any local storage of corporate data is seen as exceptional, and transferring it by local storage devices highly unusual, if not wholly unacceptable, behaviour.”
Dave Everitt, general manager of EMEA for Absolute Software, said: “It's not just charities that the ICO needs to be warning about laptop security. Many other organisations are being just as careless when it comes to compliance with the Data Protection Act. Laptop thefts from organisations are reported almost daily, and with personal and corporate details at risk of being leaked, organisations certainly can't sit back and wait to be another victim.
“Often organisations aren't worried about the £400 it would cost to replace a laptop, but the data held on it can cost the organisation a lot more. Charities do need to be extra cautious as they will hold lots of highly confidential information about vulnerable individuals. The time it will take to recreate the data, or the impact on an organisation's reputation after telling individuals that their personal details have been compromised should encourage better security practices.
“We would ask that the ICO should be warning all organisations, not just concentrating its efforts on one particular sector, which is no more to blame than any other.”