Cambridgeshire County Council has breached the Data Protection Act after a memory stick containing sensitive data relating to vulnerable adults went missing.
The Information Commissioner's Office (ICO) was told about the loss in November 2010, when an employee lost an unencrypted memory stick containing personal data of six individuals.
The unencrypted stick had not been approved to store the information that was downloaded onto it.
Furthermore, the breach happened just after the council had carried out an internal campaign to promote its encryption policy.
Data included case notes and minutes of meetings related to the individuals' support.
"While Cambridgeshire County Council clearly recognise the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check their data protection policies are continually followed and fully understood by staff," said Sally Anne Poole, enforcement group manager at the ICO.
"We are pleased that Cambridgeshire County Council has taken action to improve its existing security measures and has agreed to carry out regular and routine monitoring of its encryption policy to ensure it is being followed."
The council has escaped a fine, but has pledged to use adequate encryption on portable devices and regularly monitor data protection and IT security policies.
A Cambridgeshire County Council spokesperson apologised for the data loss and confirmed the affected parties had been informed.
"The loss of the memory stick was immediately reported by the member of staff involved, who following a full investigation has been disciplined and given advice on their future professional conduct," the spokesperson said.
Chris McIntosh, chief executive (CEO) of Stonewood, said the council had failed with employee education.
"An organisation can have the best security technology and protocols in the world, but without an educated workforce they're worthless," he said.
"There will always be a chance of human error in IT security; the job of the organisation is to make sure that its employees are educated on these risks and that policies are enforced."
Earlier this week, the ICO rapped the Identity and Passport Service for losing customer data.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
The UK cybersecurity sector is worth over £13 billion, but experts say there’s huge untapped potential if it can overcome these hurdlesAnalysis A new report released by the DSIT revealed the UK’s cybersecurity sector generated £13.2 billion over the last year
-
"Thinly spread": Questions raised over UK government’s latest cyber funding schemeThe funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
