The Information Commissioner’s Office ("ICO") has found that the Royal London Mutual Insurance Society breached the Data Protection Act ("DPA") after eight laptops, two of which contained the personal details of 2,135 people, were stolen from the company’s Edinburgh offices. The individuals affected were employees of various firms which had sought pension scheme illustrations.
The two laptops containing personal information were unencrypted but were password protected. An internal report established that the company was uncertain about the precise location of the laptops at any given time and that physical security measures were inadequate. The report also revealed that managers were not aware that personal information was stored on any of the laptops, which meant no additional precautions to control and secure the data had been taken.
Michael Yardley, Group Chief Executive Officer of the company, has now signed an official Undertaking to ensure that portable and mobile devices including laptops are encrypted. The Undertaking also requires appropriate physical security measures to be put in place to prevent unauthorised access to personal data. All staff will now be made aware of the company's policy for storage and use of personal data.
Mick Gorrill, Head of Enforcement at the ICO, said: "It is crucially important that portable devices such as laptops containing personal information are properly protected. It is particularly concerning that the organisation was unaware of the whereabouts of the laptops at any given time or what information they held. All staff members should be fully aware of the policies and procedures in place to safeguard personal information and should be appropriately trained. I am pleased the Royal London Mutual Insurance Society Ltd has agreed to take further remedial steps to prevent a similar incident happening again."
A full copy of the Undertaking can be viewed here: http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
Please contact us if you would like to talk to us about carrying out a health check of your Organisation's data protection policies and procedures.