Most of the data lost by public sector bodies in Scotland was unencrypted, a Freedom of Information (FOI) request has revealed.
The FOI request, made by the Liberal Democrats, revealed that the police, councils and NHS in Scotland recorded 226 data items lost, stolen or simply ‘missing’ since 2007.
Of these 226 items, which included PCs, laptops, mobile phones and hard drives, some with personal data, 171, or 75 percent, were unencrypted. This figure does not include the items where the encryption status was not known.
The most surprising case of data loss is West Dumbartonshire Council, which managed to ‘lose’ 60 unencrypted PCs from its schools between December 2009 and April 2010. The council also lost six USB sticks in the same period.
Scotland’s police departments, Fife Constabulary, Lothian and Borders Police and Strathclyde Police, recorded the lowest number of data loss incidents. However, their 24 incidents included the theft of 17 PDAs and four PDA memory cards, where it was not known what data was on the items, as well as the loss of a magnetic tape and USB stick, which contained personal data of police staff and investigation files and training.
The NHS, which the Information Commissioner’s Office has previously revealed is the worst culprit for data breaches, was found to be responsible for 47 of the data loss incidents in Scotland.
These included NHS Ayrshire and Arran, which had an encrypted laptop containing six months’ worth of needle exchange information stolen on 16 February 2010. This included names, dates of birth and postcode sector relating to more than 100 individuals dating back to June 2009.
In addition, NHS Forth Valley lost an unspecified, unencrypted device which contained files on 56 patients and 107 staff.
Robert Brown, Liberal Democrat Justice spokesperson, described the FOI request results as “frightening”.
“Liberal Democrats called for an urgent review into data loss in January. I want to know what the Government have done since then and why the situation has not improved,” said Brown.
“The Government is not in control of the situation. They need to get a grip on this right now.”
In a statement, the Scottish government said that it has set “robust standards” for the storage and transmission of data.
"We expect the same high standards of public sector bodies,” it said. “However, it remains the responsibility of individual police forces, local authorities and health boards to ensure that personal or sensitive information is stored securely."
The Information Commissioner’s Office recently found Yorkshire Building Society in breach of the Data Protection Act after an unencrypted laptop was stolen from its premises.