Cambridgeshire County Council has breached the Data Protection Act after losing a memory stick that contained sensitive data relating to vulnerable adults.
The Information Commissioner's Office (ICO) was informed by the council in November 2010 that an employee had recently lost an unencrypted memory stick containing personal data relating to a minimum of six individuals.
The breach occurred shortly after the council had undertaken an internal campaign aimed at promoting its encryption policy. During this time employees had been asked to hand in unencrypted devices and were warned about the importance of keeping personal information secure.
The information included case notes and minutes of meetings relating to the individuals' support and was saved on an ‘unapproved' memory stick. The device was used to store the information after the member of staff encountered problems using an encrypted memory stick that the council had previously provided free of charge.
Commenting, Kevin Bocek, director of product marketing at IronKey, said: “The ICO made a strong statement in the undertaking with Cambridgeshire County Council: encrypt and forget it isn't good enough. More specifically, organisations that are providing encrypted flash drives must ensure they are being used, expecting that just because encryption is provided doesn't eliminate the commitment of UK private enterprise and government to proactively manage data.
“While encryption can protect data, and as recognised by the ICO is an excellent means to do so, the protection of data must be managed and monitored.
“This ICO action continues to build out the very clear guidance that the ICO is providing: private data must be protected, encryption provides the best means to accomplish this, and encryption must be managed, maintained and constantly monitored.”
Sally Anne-Poole, enforcement group manager at the ICO, said: “While Cambridgeshire County Council clearly recognise the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check their data protection policies are continually followed and fully understood by staff.”
Chris McIntosh, CEO of Stonewood, said: “What is clear is that in Cambridge County Council's case, the loss wasn't a failure on the part of security strategy, but rather one of employee education. An organisation can have the best security technology and protocols in the world, but without an educated workforce they're worthless.
“It is not enough to simply give employees an initial introduction to security. Organisations must provide continuous support to anticipate problems and prevent situations like this before they occur in the first place.
“For example, in this case an educated employee would have made the council aware of problems with their encrypted device, rather than simply using an unsecure replacement. There will always be a chance of human error in IT security; the job of the organisation is to make sure that its employees are educated on these risks and that policies are enforced.”
Elwyn Jones, vice president of public sector at Mastek, said: “Competing priorities so often supersede these duties and it is astonishing that data is still lost or leaked on such a regular basis, especially when pseudonymisation and anonymisation tools exist that can take the responsibility for data protection out of human hands. As it stands while organisations continue to fail to address this issue the risk of further incidents remain an ever present danger.”