Enable Scotland, a charity that supports people with learning disabilities to live, work and take part in their communities, breached the Data Protection Act when it lost data containing names, addresses and dates of birth, as well as some information on personal health.
The charity promptly reported the incident to the Information Commissioner’s Office (ICO) in November 2011 and an investigation was launched. The individuals affected by the loss of data were also informed.
The ICO investigation found that the data should have been deleted from the memory sticks once it had been uploaded on to the charity’s server, there was no specific guidance for home workers on keeping personal data secure, and portable devices such as memory sticks used to store sensitive personal information were not encrypted.
Ken Macdonald, assistant commissioner for Scotland, said: “Organisations that use memory sticks to store personal information must make sure the devices are properly protected.
“Encrypting the data means that the information will remain safe even if the device is later lost or stolen.
“It is also important that employers provide home workers with guidance on how to keep any personal data taken outside of the office secure, as this is potentially when the information is most vulnerable.
“We are pleased that Enable Scotland has taken action to keep people’s information safe, however this incident should act as a warning to all charities that they must ensure that personal information is handled correctly.”
Peter Scott, chief executive of Enable Scotland, signed an undertaking committing the charity to improving its compliance with the Data Protection Act.
The undertaking includes making sure laptops and media used to store sensitive personal data are encrypted and that hard copy files are only taken from the office when absolutely necessary.
Guidance is also being provided to home workers to ensure that any personal data taken outside of the office is kept secure.
Chris McIntosh, chief executive of security and communications firm ViaSat UK, said there is a complacent approach to data protection amongst many organisations.
He said: “While it is encouraging that the charity reported the breach immediately and notified the relevant parties immediately, the loss of the data itself was something completely avoidable.
“It is worrying that given the recent spate of data losses, some organisations still do not have a data protection policy in place for their workers and do not regularly encrypt their devices.
“As more organisations look to endorse remote working, sensitive data needs to be made secure from point to point or else we will keep seeing many more cases like this emerge in future.”