The Information Commissioner’s Office (ICO) has fined North East Lincolnshire Council £80,000 after it lost an unencrypted memory stick containing sensitive details of hundreds of children.
The memory stick, containing information on 286 children with special educational needs, has been missing since 1 July 2011 and has not been recovered. An internal review carried out by the council confirmed that the children would suffer ill-health due to the loss.
The device was last seen when it was left in a laptop at the council’s offices by a special educational needs teacher. When the teacher returned to the laptop, the memory stick was gone.
Data on the memory stick included information about the children’s mental and physical health problems, teaching requirements, dates of birth, home addresses and information about their home life.
Although the council had introduced a policy of encrypting portable devices in April 2011, it failed to make sure that all of the memory sticks currently being used by staff were encrypted.
The council was also unable to confirm if the teacher responsible for the memory stick loss had received data protection training at the time.
Stephen Eckersley, ICO head of enforcement, said: “Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices, must be encrypted.
“North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented.
“This breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people’s information is being looked after correctly.”