Loss of sensitive personal data.
A few records.
A computer containing sensitive personal data relating to the data controller’s pupils was stolen from an administration.
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.
Reason for action
The computer was stored on a desk in view of an insecure window. It was protected by a password but not encrypted. Investigations revealed that staff needed further training in data protection and that physical security was inadequate.
16 April 2010