The Information Commissioners Office (ICO) is the UK’s independent authority set up to promote access to official information and to protect personal information. The ICO has legal powers to ensure that organizations comply with the requirements of the Data Protection Act. The ICO is an outgrowth of the The Data Protection Act 1998 which has helped to encourage businesses to step up and take action to ensure appropriate protection of data. The ICO, which is responsible for enforcing the Act, has shown great success in getting organizations to cooperate after DPA violations.
Information Commissioners Office Enforcements
Reading through the ICO enforcement page is like reading an advertisement for encryption software.
- 14 September 2009 – Billing Pharmacy Ltd, theft of an unencrypted computer containing sensitive personal data for around 1,000 customers.
- 4 September 2009 – Sandwell Metropolitan Borough Council, an unencrypted memory stick was lost by an employee.
- 21 August 2009 – London Borough of Sutton, theft of two unencrypted laptops.
- 20 August 2009 – Repair Management Services Ltd (formally MVRA), theft of an unencrypted laptop containing the personal information of approximately 36,800 individuals.
- 12 August 2009 – UPS Limited, an unencrypted password-protected laptop was stolen containing the payroll data of approximately 9,150 UK based UPS employees.
- 28 July 2009 – Imperial College Healthcare NHS Trust at St Mary’s Hospital, South Wharf Road, London, theft of six unencrypted laptop computers (two incidents)
- 28 July 2009 – NHS Lothian, theft of an unencrypted memory stick
- 28 July 2009 – London Clubs International Limited, theft of an unencrypted laptop containing the data of approximately 26,000 customers.
- 14 July 2009 – Chelsea & Westminster Hospital NHS Foundation Trust – theft of an unencrypted USB memory stick containing personal data relating to 143 of the Trust’s patients.
- 14 July 2009 – The Hampshire Partnership NHS Trust, theft of an unencrypted laptop computer, containing the personal data of 349 patients and 258 members of staff.
- 14 July 2009 – The Royal Free Hampstead NHS Trust, loss of an unencrypted computer disk containing personal data relating to some of the Trust’s patients.
- 14 July 2009 – Surrey and Sussex Healthcare NHS Trust, theft of two unencrypted laptop computers containing personal data relating to 23 and up to 80 of the Trust’s patients respectively.
Password protected laptops are not secure
Referring to the UPS case noted above, Mick Gorrill, Assistant Information Commissioner with the ICO, said ‘Password protected laptops are not secure. I urge all organisations to restrict the amount of personal information that is taken off secure sites. I am pleased that UPS has encrypted its laptops and smartphones, and I urge other organisations to follow suit.”
Encryption is the most Affordable Security Approach
In all these cases, the breaches are clear examples where had data security measure like laptop encryption software been used; the entire incidents could have been avoided. There are so many benefits to encryption; it is so affordable; it is so obvious – yet as the ICO enforcements show – we are a long way from universal laptop encryption.
In each of the cases noted here, the organization implement encryption policies as part of the enforcement with the ICO – and I bet each of them wished they had implemented the same policies on your own, ahead of the law!
