Praxis Care Limited, a care company based in both Northern Ireland and the Isle of Man, has taken steps to improve its data protection policies and procedures after an unencrypted memory stick holding sensitive personal information, including medical care and mental health, was lost on the Isle of Man.

The memory stick was lost in August 2011 and has yet to be recovered. Praxis has, however, informed all 107 Isle of Man residents and 53 Northern Irish residents whose personal details were stored on the memory stick of its loss. Fortunately for all those involved, and as stated in an undertaking by the company, "no reports of adverse consequences from the data loss have been received".

As a result of their failure to keep individual's personal data secure, the care company has been held to have breached both the UK Data Protection Act 1998 and the Isle of Man Data Protection Act 2002. However, because of the quick action taken by Praxis following the loss, the regulators agreed to accept an undertaking by the company, rather than issuing enforcement notices. The decision was the result of the joint forces of the Information Commissioner's Office and the Office of the Data Protection Supervisor for the Isle of Man working together. Following the success of this partnership, the regulators made it clear that they are happy to work with other foreign regulators to pursue future breaches and to ensure personal information is protected. The UK Information Commissioner, Christopher Graham, stated "The ICO will continue to work closely with other data protection regulators where it is clear that a data breach extends across national boundaries."

Within the undertaking Praxis have agreed that all memory sticks, laptops and similar devices will be encrypted, all staff will be trained in the company's policy for the storage, use and disposal of personal information, information which is no longer relevant will be disposed of in a secure manner, compliance with data protection policies will be regularly monitored and lastly the company will take steps to ensure personal data is secure.

The UK Information Commissioner Christopher Graham said that "carrying people's personal information around on an unencrypted stick is clearly unacceptable"- his comments highlighting just how careless this incident was. It serves as another reminder that organisations who are data controllers must have solid data protection policies and procedures in place, but more importantly must ensure they regularly review how these are working in practice and ensure that their employees are well versed in what this means for their day-to-day jobs so that such sloppy mistakes are not repeated in the future.

© MacRoberts 2012

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.