British Council has been found in breach of the Data Protection Act after losing an unencrypted computer disc containing the sensitive data of 2,000 employees.
In December 2008, the disc went missing in transit after the Council sent it using a TNT courier service to the department's human resources staff. The British Council reported the data breach to the Information Commissioner's Office as soon as it became aware of the incident.
The disc was reported to have contained information including names, salaries, national insurance details and bank account numbers. The ICO has since revealed it contained personal data on 2,000 trade union members in addition to bank details.
The Council claimed at the time of the breach that the disc was secure and required special equipment to access, but the ICO has noted that the disc was unencrypted.
The ICO has requested the British Council to sign a formal undertaking that requires the Council to improve its security measures by encrypting all portable and mobile devices that are used to store and transmit personal information.
Mick Gorrill, assistant Information Commissioner, said in a statement: “The British Council proactively reported the breach to the ICO and took immediate remedial action which demonstrates its understanding of the seriousness of this data loss. The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. The organisation also agrees to ensure that its policies on the transfer and sharing of personal information on portable devices are clear and compliant with government standards.”
The ICO said if the Council fails to meet the requirements, it faces further enforcement action.
A British Council spokesperson said in a statement: "The British Council applies the UK Data Protection Act 1998 to all of our global operations unless the local equivalent law is more stringent."
The statement continued that the Council is "committed to implementing the requirements of the UK Government's Data Handling Review".