Loss of sensitive personal data.
A few records.
Two unencrypted laptops containing personal data relating to staff and pupils at a particular school were stolen. In a separate incident an unencrypted USB stick was lost or stolen from the administrative office of an education centre.
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.
Reason for action
The laptops recorded data relating to two schools which were merging and had not been encrypted as they were only being used as a temporary measure in an office environment. Enquiries revealed that there were insufficient physical security measures in place and that the data controller was carrying out an incomplete program of encryption of portable devices.
The USB stick held minimal personal data, but an internal investigation revealed a lack of awareness of data protection requirements among staff and recommended further training and use of encrypted media.
19 March 2010