Rochdale Metropolitan Borough Council breached the Data Protection Act by losing an unencrypted memory stick containing the details of over 18,000 residents, the Information Commissioner’s Office (ICO) said today. The ICO has required the council to put changes in place and will check to ensure the improvements have been made.
The memory stick – which was lost in May and has not been recovered – included, in some cases, residents’ names and addresses, along with details of payments to and by the council. The device did not include any bank account details. The information had been put on a memory stick to compile the council’s financial accounts.
The ICO’s investigation found that the council’s data protection practices were insufficient – specifically that it failed to make sure that memory sticks provided to its staff were encrypted. The council also failed to provide employees with adequate data protection training. As well as requiring the council to put all of the changes in place by 31 March 2012, the ICO will follow up with the council to ensure that the agreed actions have been implemented.
Acting Head of Enforcement, Sally Anne Poole said:
“Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people.
“Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that’s why we will follow up with the council, to ensure they’re doing everything they can to prevent this type of incident happening again.”
Source: Information Commissioner’s Office
So I viewed the full undertaking and wasn’t quite thrilled with how the council described the incident:
The Information Commissioner (the ‘Commissioner’) was provided with a report of the loss of an unencrypted USB memory stick containing personal data relating to several thousands of the data controller’s constituents.
“Several thousands?” I do not consider 18,000 “several.” Why was the council allowed to downplay the number involved? Perhaps the ICO should insist that undertakings “come clean” on the numbers affected.
Enquiries revealed that much of the information on the USB stick was already available in the public domain.
Again, what’s with the minimizing and why isn’t the ICO stomping on self-serving statements like this?