An unencrypted memory stick containing the details of more than 18,000 residents was lost by Rochdale Metropolitan Borough Council, according to the Information Commissioner's Office (ICO).
The ICO said that the memory stick was lost in May and has not yet been recovered. The details included residents' names and addresses in some cases, along with details of payments to and by the council.
The information had been put on a memory stick to compile the council's financial accounts; the ICO's investigation found that the council's data-protection practices failed to make sure that memory sticks provided to its staff were encrypted.
Sally Anne Poole, acting head of enforcement at the ICO, said: “Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people.
“Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that's why we will follow up with the council, to ensure they're doing everything they can to prevent this type of incident happening again.”
Christian Toon, head of information security Europe at Iron Mountain, said: “This is not an isolated incident, other public sector organisations have recently been found guilty of being in breach of the Data Protection Act.
“Information on the move outside the company is at risk unless it is properly encrypted and protected from human error. This requires more than just technology; it requires the development and active implementation of robust information management policies, supported by staff training and self-regulation.
“The public sector is accountable to the UK population. It has an obligation to take care of our personal details, not just in theory, but in practice.”
Grant Taylor, vice-president of Cryptzone, pointed out that the loss amounts to almost nine per cent of city's population, and with just over 10,000 employees, the council clearly has a large number of staff handling a lot of data on a daily basis.
He said: “The only saving grace here is that details of the residents' bank accounts were not stored on the USB stick, as otherwise you would be handing an identity-theft kit on an electronic plate to cybercriminals, which, at current rates, would be worth around £12,000.”
Chris McIntosh, CEO of ViaSat UK, said: “The ICO has said that the data stored on this unencrypted memory stick was ‘not sensitive' and that much was publically available. This doesn't mean that the council and its citizens can breathe a sigh of relief, however: it simply means that this time they were very, very lucky.
“Encrypting data and ensuring that all employees know the importance of data protection should by now be the bare minimum expected from organisations in both the public and private sectors.”