North East Lincolnshire Council

Breach details

What Loss of an unencrypted USB stick containing personal and sensitive data relating to children with special educational needs including names, DOB and reports on mental and physical disabilities.
How much 286 records.
When 01 July 2011.
Why A special educational needs teacher working for the Special Educational Needs Support Service forgot to remove an unencrypted USB stick containing reports on 286 children from a laptop in the Council’s offices on leaving the office at the end of the day on 01 July. When the teacher tried to retrieve the USB stick they discovered it was gone and it has not been recovered to date. The USB stick had been issued in 2005 in order for the teacher to access neccessary data on their visits to schools and community locations that they performed during the majority of their time. An information security policy which had been in draft since 2009 was introduced in March 2011, four months prior to the incident, and specified that removable media such as USB sticks “must be encrypted”. However, unencrypted USB devices were not recalled until immediately after the incident and staff could only encrypt their devices through volunteer initiatives such as a ‘removable media pilot’ and an ‘encryption on request’ service. The member of staff in question had confirmed that they read and understood the new policy in June and had possibly received Data Protection Act e-learning training, but the training was non mandatory and cannot be confirmed.

Regulatory action

Regulator ICO
Action Monetary penalty of £80,000.
When 15 October 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: appropriate measures were not taken to prevent the loss of personal data. In particular there was a lack of training on the importance of using encrypted devices, no technical controls restricting downloads, and no effective policies and controls in place.
Known or should have known Staff were used to dealing with sensitive personal information on a daily basis and had routinely stored this data on unencrypted USB sticks since at least 2005. The risks of using unencrypted USB sticks was identified in 2009 but not forbidden until 2011, and even then the Council continued to allow staff to use unencrypted devices in breach of its own policy. Although there was an encryption service available from this point it was voluntary and efforts to raise awareness were inadequate.
Likely to cause damage or distress The children and families concerned would suffer substantial distress knowing that their sensitive data may have been disclosed to third parties or could be in future, even though it appears that the data has not been disclosed thus far. If the data is accessed by untrustworthy third parties it could expose the children to damage to their health, education and personal relationships.