ICO takes action against Home Office, NHS Trusts

The Information Commissioner's Office (ICO) has found the Home Office and two National Health Service (NHS) Trusts in breach of the Data Protection Act (DPA).

The Home Office action follows the loss of an unencrypted memory stick by a contractor, PA Consulting in August 2008 that held the sensitive personal details of thousands of individuals, including those serving custodial sentences or who had previously been convicted of criminal offences.

The ICO said the Home Office must, with immediate effect, ensure all portable and mobile devices that are used to store and transmit personal information are encrypted. And contractors processing personal information on its behalf must also use encryption software.

Mick Gorrill, Assistant Information Commissioner at the ICO said the Home Office case was particularly serious, regardless of the fact a contractor lost the data. "It is the data controller (the Home Office) which is responsible for the security of the information," he said.

"The Home Office recognises the seriousness of this data loss and has agreed to take immediate remedial action. It has also agreed to conduct future audits to ensure compliance with the Act," he added.

Sir David Normington, the Permanent Secretary, is signing a formal undertaking on behalf of the Home Office outlining that it will process personal information securely in the future.

At the same time, the ICO has also required Abertawe Bro Morgannwg University NHS Trust and Tees, Esk and Wear Valleys NHS Foundation Trust, to sign formal undertakings that they will process personal information in line with the DPA.

The action comes after an unencrypted laptop containing the sensitive personal data of approximately 5,000 patients, including some health records, was stolen from the Abertawe Bro Morgannwg University NHS Trust. And Tees, Esk and Wear Valleys NHS Foundation Trust informed the ICO that an unencrypted memory stick had been lost containing sensitive personal information relating to patients and trust staff. The trust initiated its own investigation after the data stick was returned to the trust.

In all three cases, the ICO has mandated the implementation of appropriate security measures, including adequate encryption policies and staff and contractor security policy adherence, to ensure that personal details are properly protected.

Miya Knights

A 25-year veteran enterprise technology expert, Miya Knights applies her deep understanding of technology gained through her journalism career to both her role as a consultant and as director at Retail Technology Magazine, which she helped shape over the past 17 years. Miya was educated at Oxford University, earning a master’s degree in English.

Her role as a journalist has seen her write for many of the leading technology publishers in the UK such as ITPro, TechWeekEurope, CIO UK, Computer Weekly, and also a number of national newspapers including The Times, Independent, and Financial Times.