The Chief Executive of Cambridgeshire County Council this week signed a formal undertaking with the ICO under which the Council agreed to ensure that all portable devices used by it would be encrypted and that it would carry out regular monitoring of its data protection policies and IT security measures in order to ensure that they were being followed by all staff.
This formal commitment by Cambridgeshire County Council was prompted by an incident in November 2010 when an employee of the Council lost an unencrypted memory stick which contained the personal data of at least 6 vunerable individuals. The information on the storage device also included case notes and minutes of meetings relating to the individuals’ support. The unencrypted device was used by a member of the Council’s staff only after they had encountered problems using an encrypted memory stick that the council had previously provided. Ironically the breach occurred shortly after the Council had run an internal campaign promoting their encryption policy, the importance of keeping personal data secure and urging employees to hand in unencrypted memory sticks.
Commenting on the breach and the undertaking given by the Council, Sally Anne-Poole, Enforcement Group Manager at the ICO, said:
“While Cambridgeshire County Council clearly recognise the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check their data protection policies are continually followed and fully understood by staff. We are pleased that Cambridgeshire County Council has taken action to improve its existing security measures and has agreed to carry out regular and routine monitoring of its encryption policy to ensure it is being followed.”