The Information Commissioner’s Office (ICO) has found the Association of Teachers and Lecturers (ATL) to be in breach of the Data Protection Act 1998 by failing to encrypt its stored data. A laptop and memory stick, which contained personal data relating to over 6,000 people, was lost or stolen when an ATL member was loading items into his car.
The ATL’s general secretary has had to sign an undertaking guaranteeing that all of the organisation’s portable data devices will be encrypted, and is required to carry out a review of its policy on data protection and storage. Members of staff are no longer permitted to store this kind of data on memory sticks or USB keys.
Although the missing laptop was password protected, the memory stick in question had no such protection and belonged to a member of staff rather than the organisation. The memory stick contained 3,366 of the records that were also contained on the laptop.
The ICO has stressed that members of staff should not be allowed to transfer and store personal data on their own devices, especially if these contain sensitive information. Data controllers should be aware of this and issue guidance to staff members accordingly.
If you would like advice on implementing a privacy policy and ensuring your organisation fully complies with the Data Protection Act, contact us.