Cambridgeshire council rapped for memory stick loss

Personal details of vulnerable adults were saved on a memory stick which was lost by a council worker, a watchdog said today.

The Information Commissioner’s Office (ICO) ruled the data protection act was breached when the unencrypted device, containing “sensitive” information about at least six people, was mislaid.

The data included case notes and minutes of meetings about “chronically excluded and vulnerable” social care clients.

The ICO said the device was used after the member of staff encountered problems when using an encrypted memory stick previously provided free of charge by the authority.

Shortly before the breach, in November last year, the council had run an internal campaign promoting its rules on encryption and had asked employees to hand in any unprotected devices.

Sally Anne Poole, the ICO’s enforcement group manager, said slip-ups could not be allowed.

She said: “While Cambridgeshire County Council clearly recognise the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check their data protection policies are continually followed and fully understood by staff.

“We are pleased Cambridgeshire County Council has taken action to improve its existing security measures and has agreed to carry out regular and routine monitoring of its encryption policy to ensure it is being followed.”  The ICO decided not to serve an enforcement notice on the authority.

Mark Lloyd, its chief executive, has signed a formal undertaking which requires him to ensure all portable devices used by the council are encrypted using the latest software.

The authority has also agreed to monitor its data protection and IT security policies regularly to ensure they are being followed by staff.