The Information Commissioner's Office (ICO) has taken action against three county councils for breaching the Data Protection Act.
It said ‘a systemic lack of staff training on how to handle personal information' led to the loss of sensitive personal information relating to thousands of children at the London Borough of Barnet, West Sussex County Council and Buckinghamshire County Council.
Barnet Council reported a loss of the details on over 9,000 children and members of their families when an unencrypted, non-password protected USB stick and CDs were stolen from an employee's home.
An employee had downloaded the data onto the unencrypted devices without any authorisation to do so, although it was later revealed that there was no training provided or security in place to prevent such downloads. The ICO had conducted an audit of the London Borough of Barnet prior to this incident that had also highlighted this lack of staff training.
West Sussex County Council also had a laptop stolen from the home of an employee, which contained sensitive personal data relating to an unknown number of children and families involved in childcare proceedings.
The laptop was unencrypted and enquiries by the ICO revealed that the employee had not received any formal data protection/IT security training. It was also discovered that over 2,300 unencrypted laptops were likely to be still in use across the council's various services, although steps are now being taken to encrypt these.
Finally, Buckinghamshire County Council provided a report regarding the loss at Heathrow Airport of documents containing sensitive personal data relating to two children. The documents were in a plastic wallet belonging to a council social work employee who was travelling to another UK city in connection with the children's social care case.
After further analysis by the ICO, it determined that it was apparent that no real thought had been given to the security of this personal data during travel. It was also revealed that some of the council's policies needed revision and that staff training in data protection was insufficient.
All three councils have signed formal undertakings to ensure staff will be made fully aware of the policies of their council for the storage and use of personal data. The London Borough of Barnet and West Sussex County Council will also provide appropriate training on data protection and IT security and ensure portable and mobile devices used to store and transmit personal data are encrypted.
The ICO said that a further audit will be carried out on the London Borough of Barnet within the current financial year to monitor the previous recommendations made to it.
Sally-Anne Poole, enforcement group manager at the ICO, said: “These three councils have shown a poor regard for the importance of protecting children's personal information. It is essential that councils ensure the correct preventative safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children. A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands.
“I am particularly concerned where a public authority has previously been warned about the lack of staff training in data security. Breaches involving such large numbers of children and family members could easily have been avoided. I am pleased that all of the councils have now taken or proposed action to prevent against further data breaches.”
Chris McIntosh, CEO of Stonewood, said: “It is outrageous that three whole councils seem to have so little regard to keeping our children safe. It is bad enough that they don't protect their own data, but to lose information about those who are the most vulnerable is beyond unacceptable.
“Employees are always going to lose memory sticks and laptops, but that doesn't have to mean data loss. It is not rocket science, there will always be simple human errors. Organisations need to protect against this by making sure information cannot be accessed when a loss occurs.
“Companies shouldn't even need a body like the ICO to want to protect their data, it should be of utmost priority without the incentive of possible action against them. Ultimately, councils who value their people should start to value their data.”
Dave Everitt, general manager EMEA at Absolute Software, said: “Inadequate training about how to handle sensitive information is unacceptable, especially when the information being handled relates to children. It is time to advise and educate organisations that still have question marks hanging over their security practices. They need to take note of these latest data breach incidents and better inform staff about the most secure way of working – before it's too late.
“Only when confirmation of successful data deletion has been received, via log file reporting will bosses be confident that their organisation's reputation is protected from data breach. The public will then be reassured that their personal information is protected with the diligence it deserves.”