In a week that has seen data losses involving both The Educational Credit Management Corporation and Stoke-on-Trent City Council, north London's Barnet Council has now reported the loss of data that affects 9,000 people.
In a letter to parents and guardians, Barnet Council chief executive Nick Walkley said that information about children in year 11 in Barnet schools from 2007, 2008 and 2009 was stolen in a domestic burglary earlier this month.
He claimed that there was a low risk after a member of staff was burgled and computer equipment, and a number of CD ROMs and memory sticks were stolen along with other items from the house.
Walkley said: “The council has policies and processes in place to make sure that information that could be taken in such circumstances remains confidential. The computer equipment was encrypted in line with council policies, so cannot be used to access confidential information. But this was not the case with the CDs or memory sticks. This was a clear breach of our policies and the member of staff concerned has been suspended.”
He confirmed that the data stored on the CD ROMs and memory sticks included children's' names and information about their educational attainment, entitlement to free school meals and postcode.
He also said that the council has carried out a full risk assessment on the information on the stolen CDs, made software changes to prevent staff saving any data onto unsecured memory devices (including CD ROMs), confirmed that every council computer used by staff outside of the office is securely encrypted and ordered a full independent enquiry into how this incident came to take place and how the council protects confidential information.
“The council works to help and support children and young people every day and we take these duties extremely seriously. I am very sorry that we have, on this occasion, failed to meet our own high standards and have, as a result, let you down,” said Walkley.
A full Q&A has been provided by the council for the incident, where it claims that the member of staff had this information for ‘statistical purposes comparing trends amongst all students with the school performance of the children with which they were working'.
Chris McIntosh, CEO of encryption expert Stonewood, claimed that while the data loss should never have happened, Barnet has reacted very well by implementing a full security lockdown and disciplining the worker.
He said: “While Barnet Council's lax rules may have allowed this data loss to happen, it did ensure that the stolen laptop was encrypted. Beyond this, the council's reaction puts the actions of many other organisations that have lost data, from other councils to multinational corporations, to shame.
“The council has responded in exactly the way it should have. Data security has been put under draconian controls, the ICO and at risk individuals have been informed post haste, and it is evident that Barnet Council is acting to both minimise the effects of this theft and to tighten controls and prevent any further incidents in the future. This is a model that organisations should be more keen to follow, especially with the ICO's new punitive powers. However, an even better model would be preventing the loss in the first place.”
Paul Briault, head of public sector at RSA, said: "Today's data loss at Barnet Council raises a red flag and demonstrates that public sector bodies still need to address their approach to security. Whether intentional or accidental, devices continue to go missing in the public sector, potentially putting confidential data into the hands of fraudsters that would seek to take advantage of it.
"Organisations need to prepare themselves for such losses by putting in place information management and security technologies to protect data regardless of where it travels. However they also need to aim higher and integrate information technology with their business strategy, the two cannot be siloed. By taking an holistic information risk management approach, organisations can save time and public money, and focus on what needs to be looked after most. For example devices with large amounts of confidential data, can be marked high priority, while those that do not present a threat can be marked low. This makes the business security approach more manageable and achievable."