Despite both being stored in a locked office and being password protected, the ICO found that the Highland Council was in breach of the Data Protection Act (DPA) and the council has signed formal undertakings promising to encrypt all mobile devices.
Outlaw.com reported that the laptops contained personal details on 1,400 people including some medical information. The ICO claimed that ‘no additional physical security measures were in place'.
Assistant commissioner Ken Macdonald, said: “The stolen laptops contained sensitive personal information, including health records. I urge all councils and their executive teams to ensure that data protection is treated as an important part of corporate governance. Safeguarding sensitive personal information must be embedded in their organisational culture. No public body can afford to take risks with personal details, least of all health records."
Council chief executive Alistair Dodds signed a formal undertaking committing the council to encrypting all mobile devices containing personal data by the end of September. The undertakings orders the Council to ensure that ‘physical security measures and procedures are adequate to prevent the theft of devices that contain personal data, the loss of which could cause damage or distress to individuals'.