Manchester City Council has breached the Data Protection Act after the theft of two unencrypted laptops, one of which contained personal details relating to 1,754 employees at local schools.
The laptops, which were taken from the Town Hall, were not encrypted nor were they secured to the desks, according to privacy watchdog, the Information Commissioner’s Office (ICO). One of the stolen laptops contained personal details on members of staff in local schools from the Manchester area.
Sir Howard Bernstein, Manchester City Council's chief executive, has signed a formal Undertaking which legally binds the council to comply with the Data Protection Act. This compels the council to ensure all laptops and other removable devices are encrypted and secured to desks or locked away. The council will also ensure that only essential information is downloaded to mobile devices.
ICO's head of enforcement and investigations Sally-Anne Poole said: “The council should handle all personal information, including employment details, in compliance with the Data Protection Act. Organisations must implement appropriate safeguards to ensure personal details are handled securely and do not fall into the wrong hands."
“We urge all councils and their executive teams to take responsibility for treating data protection as a corporate governance issue affecting the entire organisation. They have to make sure that safeguarding the personal information of their staff is embedded in their organisational culture.
“The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. Manchester City Council recognises the seriousness of this data loss and has agreed to take immediate action. It has also agreed to implement an improved training programme, including regular refresher training for all staff.”
Related stories: No more excuses for sloppy data security