A council which has had two data security incidents within six months has been forced to give an undertaking to ensure devices carrying data are encrypted and staff receive training on data protection.
West Berkshire Council lost an unencrypted and non-password protected memory stick on 30 March but did not report the loss to the Information Commissioner’s Office (ICO) until 15 April. Details about children’s ethnicity and physical or mental health were held on the memory stick .
Another incident involving the council was resolved informally.
The ICO found that, although the council introduced encrypted memory sticks in 2006, older devices were not recalled and were still being used by staff. The ICO also found that staff had not received appropriate training in data protection issues, and that monitoring of compliance with the council’s policies was inadequate.
The council has now signed a formal undertaking to ensure devices used to store and transmit personal data are encrypted. Staff will receive training on the council’s policy for storing personal data, and on data protection and IT security.
Sally-Anne Poole, enforcement group manager at the ICO, said: “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.
“A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands. I am pleased that the council has now taken action to prevent further data breaches.”