The personal details of up to 101 people were lost when two unencrypted memory sticks and papers were stolen from the home of an employee of a Scottish charity.
According to the Information Commissioner's Office (ICO), the information from Enable Scotland (Leading the Way) included people's names, addresses and dates of birth, as well as a limited amount of data relating to the individuals' health. It reported the incident to the ICO in November 2011 and informed those individuals affected.
The ICO's investigation found that the information should have been deleted from the memory sticks once it had been uploaded onto the charity's server, and that the charity had no specific guidance for home workers on keeping personal data secure. Portable media devices used to store sensitive personal information were not routinely encrypted.
Ken Macdonald, assistant commissioner for Scotland, said: “Organisations that use memory sticks to store personal information must make sure the devices are properly protected. It is also important that employers provide home workers with guidance on how to keep any personal data taken outside of the office secure, as this is potentially when the information is most vulnerable.
“We are pleased that Enable Scotland has taken action to keep people's information safe, however this incident should act as a warning to all charities that they must ensure that personal information is handled correctly.”
Peter Scott, chief executive of Enable Scotland, has now signed an undertaking, committing the charity to improving its compliance with the Data Protection Act; this includes making sure laptops used to store sensitive personal data are encrypted and that hard-copy files will only be removed from the office when absolutely necessary and will contain the minimum amount of personal data required. Guidance will also be provided to home workers to ensure that any personal data taken outside of the office is kept secure.
Chris McIntosh, CEO of ViaSat UK, said: “While it is encouraging that the charity reported the breach immediately and notified the relevant parties immediately, the loss of the data itself was something completely avoidable.
“It is worrying that given the recent spate of data losses, some organisations still do not have a data protection policy in place for their workers and do not regularly encrypt their devices. As more organisations look to endorse remote working, sensitive data needs to be made secure from point to point or else we will keep seeing many more cases like this emerge in future.”