Barnet and West Sussex both found themselves in the dock at The Information Commissioner’s Office after the theft of IT containing sensitive data about children. The watchdog blamed a “systemic” lack of staff IT training after finding that personal information about children had been lost by the two authorities
Both councils were found to have breached the Data Protection Act.
In the LB Barnet case, sensitive personal information about more than 9,000 children and their families were stolen from the home of a staff member. They had taken an unencrypted, non-password protected USB stick and CDs containing the information home.
The ICO report says the employee had downloaded the data onto the unencrypted devices without authorisation. But it was later discovered that Barnet provided neither training nor security to prevent such downloads.
To make matters worse the ICO had previously conducted an audit of the north London authority that highlighted a lack of staff training.
It’s a similar story in West Sussex CC. Here a laptop with personal information about an unknown number of children involved in childcare proceedings was taken from the home of an employee. Once again the laptop was unencrypted and the ICO revealed that the employee had received no formal training on data protection or IT security.
When you discover that the ICO also found that more than 2,300 unencrypted laptops were likely to be in use across West Sussex’s various services you can see that this particular case was a security breach waiting to happen.
The good news is that Barnet and West Sussex have now signed formal agreements to ensure that staff will be made fully aware of their respective policies for the storage and use of personal data.
Oh yes, they’ve also agreed to provide training on data protection and IT security.
It’s easy to be high and mighty about this kind of breach but how many of us can say that we are ensure data is encrypted even when it is commercially sensitive. Our guess is that the answer is as ever, not nearly enough.
What’s your data protection and IT security training policy?