Loss of sensitive personal data.
An unencrypted memory stick containing a social care management database was lost during a postal transfer from the Council’s offices to a regular contractor based in Cardiff.
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Databases must only contain information relevant for their purpose and the purpose of transfer. Where possible sensitive personal data should be accessed remotely or hand-delivered. All other post should be adequately tracked and protected. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.
Reason for action
Sensitive data was transferred onto the password protected but unencrypted memory stick in breach of council procedure. The memory stick was sent in inadequately protected packaging, and contained records that were excessive for their purpose and out of date.
3 December 2009
View PDF of the Department of the Shropshire Council Undertaking (Breach Watch Archive)