Two charities have been found in breach of the Data Protection Act by failing to encrypt computers that were subsequently stolen.
The Information Commissioner's Office (ICO) said that Sheffield-based Asperger's Children and Carers Together (ACCT) and Nottingham-based Wheelbase Motor Project both had unencrypted laptops stolen which contained sensitive information relating to young people.
Asperger's Children and Carers Together reported the breach after an unencrypted laptop, containing personal data relating to 80 children who attended its sessions, was stolen from an employee's home. The laptop was being used to store medication information as well as children's names, addresses and dates of birth.
Wheelbase Motor Project also reported the breach after the theft of an unencrypted hard drive from the charity's offices. The device contained personal information relating to 50 young people and included some details about past criminal convictions and child protection issues.
Deborah Woodhouse, director and co-founder of ACCT and Michael Clifford, CEO of Wheelbase Motor Project, have both signed undertakings to ensure that all portable and mobile devices used by the charity to store personal data will be encrypted. Both are also reviewing policy to make sure that staff are aware of procedures for the storage and use of personal data.
Sally-Anne Poole, acting head of enforcement, said: “The ICO's guidance is clear – any organisation that stores personal information on a laptop or other portable devices must make sure that the information is encrypted. Information about young people's medical conditions or criminal convictions is obviously sensitive and should have been adequately protected.
“We are pleased that both charities have agreed to take the necessary steps to ensure that the personal information they hold is kept secure from now on.”
Chris McIntosh, CEO of ViaSatUK, said: “Clearly it is in no one's interests to fine charities for breaches of the data protection act, not least because the money comes from the public. However, it is disappointing that the message still does not seem to be getting through.
“Organisations holding sensitive data, particularly where the vulnerable and young are involved must protect it in every way possible, ensuring that at a very minimum laptops and USB sticks are encrypted, while also carrying out regular education programmes with staff.”