(Follow-up) UK: ICO takes enforcement action against the British Council for serious data breach
As a follow-up to an incident reported in January:
The Information Commissioner’s Office (ICO) has found the British Council in breach of the Data Protection Act after the loss of an unencrypted computer disc. Details lost include sensitive personal information relating to trade union membership of over 2,000 members of staff. The British Council reported the data breach to the ICO as soon as it was aware it had taken place.
The ICO required the British Council to sign a formal Undertaking outlining that it will take reasonable measures to keep personal information secure in future. The Undertaking has been signed on behalf of the British Council by the Chief Executive, Martin Davidson.
By signing the Undertaking the British Council agrees to implement a number of security measures to protect personal information more effectively. For example, all portable and mobile devices which are used to store and transmit personal information must be encrypted, with immediate effect.
Mick Gorrill, Assistant Information Commissioner at the ICO, said: “The British Council proactively reported the breach to the ICO and took immediate remedial action which demonstrates its understanding of the seriousness of this data loss. The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. The organisation also agrees to ensure that its policies on the transfer and sharing of personal information on portable devices are clear and compliant with government standards.”
Failure to meet the terms of the Undertaking is likely to lead to further enforcement action by the ICO. A copy of the Undertaking can be downloaded from http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx.
Source: ICO Press Release (pdf)