West Berkshire Council has found to be in breach of the Data Protection Act following the loss of a USB stick containing the sensitive personal information of children and young people.

The memory stick, which was unencrypted and not password protected, contained information relating to the ethnicity and physical or mental health of the children, among other details.

The Information Commissioner's Office (ICO) found that unencrypted devices, in operation before the council introduced encrypted memory sticks in 2006, were still being used by members of staff.

Further enquiries revealed staff had not received appropriate training in data protection issues and monitoring of compliance with the council's policies was found to be inadequate.

Sally-Anne Poole, enforcement group manager at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.

“A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands. I am aware that staff have been provided with encrypted USB sticks since 2006 but older devices were not recalled. I am pleased that the council has now taken action to prevent against further data breaches.”

Chris McIntosh, CEO of Stonewood, claimed that as this is West Berkshire Council's second reported loss of sensitive, unencrypted data in six months it is more than a little ironic considering the council's willingness to gather information on its citizens.

He said: “The data loss itself reiterates once again that employees will always be the weakest point in any rigorous security system, and organisations must make sure that they cannot breach security even inadvertently. While the organisation as a whole may know the value of encrypted data, it is imperative that not only do the workers know this, but that there is no opportunity whatsoever for sensitive data to be unencrypted at any point in its life.

“If this needs rigorous protocols and automated technology to ensure that, for example, unencrypted USB sticks are correctly recalled, so be it. Otherwise, organisations may be protecting themselves, but they are also passing the buck onto their workers."