U.K. Council Fined for Security Breach


The U.K. Information Commissioner's Office (ICO) has fined the North East Lincolnshire Council £80,000 after the loss of an unencrypted USB drive exposed the personal information of 286 children with special education needs.

A special educational needs teacher left the drive in a laptop at the council's offices on July 1, 2011, but when she returned to the laptop, the memory stick was missing.

The USB drive, which hasn't been recovered, contained information about the 286 children's mental and physical health problems and teaching requirements, along with their birthdates and some home addresses.

The council had introduced a policy of encrypting all portable devices in April 2011, but it hadn't ensured that all memory sticks in use at the time were encrypted.

"Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted," ICO head of enforcement Stephen Eckersley said in a statement. "North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented."

"This breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people’s information is being looked after correctly," Eckersley added.