It reported that the Association of School and College Leaders (ASCL) breached the act in May 2011 when a laptop was stolen from an employee's home. Enquires found that while the laptop had encryption software installed on it, the decision on whether or not to encrypt individual documents was left to the employee.
At the time of the theft, the laptop included unencrypted personal information relating to approximately 100 individuals, which included details of their membership of the union and, in some cases, details of their physical and mental health.
The ICO also reported that an unencrypted laptop was stolen from an unlocked office at Holly Park School in Barnet. The device contained pupils' names, addresses, exam marks and some limited information relating to their health.
Sally Anne Poole, acting head of enforcement at the ICO, said: “The ICO's guidance is clear: all personal information, the loss of which is liable to cause individuals damage and distress, must be encrypted.
“This is one of the most basic security measures and is not expensive to put in place, yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people's personal information at risk unnecessarily.”
Mike Smart, product and solutions director at SafeNet, said: “Two recent stories of serious data breaches at UK educational institutions suggests some school IT administrators need to go back to school on data protection strategies.
“Perhaps that's too strong a line, but it does beggar belief that encryption isn't being used either widely enough or at all. This is especially concerning given the sensitivity of the information at risk and the severe damage to a school's reputation and finances from falling foul of the regulators and the media.”
Chris McIntosh, CEO of ViaSat UK, said: “It still seems that too many organisations are learning to improve their data protection policies through being subject to a data loss: a clear case of locking the stable door even though the horse has not only bolted but wrecked the door in doing so.
“The ICO is right to keep banging the drum on encryption, as we can see from these cases it's not enough to simply place encryption software on a device and hope that workers will automatically know what data needs to be encrypted.
“Organisations need to employ the best encryption they can afford in tandem with rigorous policies to ensure that no sensitive data is left unencrypted, while educating employees on the need for data security and the consequences if it is ignored. Leaving devices unprotected, or protecting them but leaving the decision to encrypt to the individual worker simply isn't good enough: organisations must be able to guarantee that their data is protected at all times.”