Home : Public Sector : News

ICO takes action against Home Office, NHS Trusts

Data losses at the Home Office and two NHS Trusts, has led the Information Commissioner to take enforcement action, mandating remedial security measures.

By Miya Knights, 23 Jan 2009 at 14:34

gallery

The Information Commissioner’s Office (ICO) has found the Home Office and two National Health Service (NHS) Trusts in breach of the Data Protection Act (DPA).

The Home Office action follows the loss of an unencrypted memory stick by a contractor, PA Consulting in August 2008 that held the sensitive personal details of thousands of individuals, including those serving custodial sentences or who had previously been convicted of criminal offences.

The ICO said the Home Office must, with immediate effect, ensure all portable and mobile devices that are used to store and transmit personal information are encrypted. And contractors processing personal information on its behalf must also use encryption software.

Mick Gorrill, Assistant Information Commissioner at the ICO said the Home Office case was particularly serious, regardless of the fact a contractor lost the data. “It is the data controller (the Home Office) which is responsible for the security of the information,” he said.

“The Home Office recognises the seriousness of this data loss and has agreed to take immediate remedial action. It has also agreed to conduct future audits to ensure compliance with the Act,” he added.

Sir David Normington, the Permanent Secretary, is signing a formal undertaking on behalf of the Home Office outlining that it will process personal information securely in the future.

At the same time, the ICO has also required Abertawe Bro Morgannwg University NHS Trust and Tees, Esk and Wear Valleys NHS Foundation Trust, to sign formal undertakings that they will process personal information in line with the DPA.

The action comes after an unencrypted laptop containing the sensitive personal data of approximately 5,000 patients, including some health records, was stolen from the Abertawe Bro Morgannwg University NHS Trust.

And Tees, Esk and Wear Valleys NHS Foundation Trust informed the ICO that an unencrypted memory stick had been lost containing sensitive personal information relating to patients and trust staff. The trust initiated its own investigation after the data stick was returned to the trust.

In all three cases, the ICO has mandated the implementation of appropriate security measures, including adequate encryption policies and staff and contractor security policy adherence, to ensure that personal details are properly protected.