Waseley Hills High School and Sixth Form Centre has signed an undertaking issued by the Information Commissioner's Office (ICO) after being found to have breached the seventh data protection principle. The undertaking relates to an incident where an unencrypted laptop containing both personal information and sensitive personal information of 984 pupils and 186 staff members was stolen from the school.
The seventh data protection principle, contained in the Data Protection Act 1998, provides that: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Data controllers are required to ensure that personal data is stored in secure locations, and with sufficient technical measures put in place to protect the data from unauthorised access. Theft, loss or careless disposal of equipment containing such data are the most common reasons for the ICO to issue undertakings and enforcement notices against organisations, and in many of these cases the data has been made more vulnerable by a lack of encryption on the devices. Exactly one year ago, the ICO published an opinion in response to the increase in the number of high-profile losses of unencrypted devices which offers recommendations on data security and links to other pages which offer guidance on the matter. This opinion can be viewed by following this link: www.ico.gov.uk/about_us/news_and_views/current_topics/Our%20approach%20to%20encryption.aspx
The Ministry of Justice has recently completed a consultation exercise which considers whether the maximum fine for breaches of the data protection principles should be increased to £500,000. This is in conjunction with a consultation on the introduction of custodial sentences for individuals who knowingly or recklessly misuse personal data, which closes on 7 January 2010. Both of these consultations show that the ICO is pushing for harsher penalties and more widespread compliance from organisations in both the education sector and elsewhere. The Waseley Hills lesson should not be ignored.
MacRoberts offers comprehensive guidance on how to comply with data protection laws. For further information, please contact us.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.