Data protection watchdog slams organisation for lax attitude to encryption.
The Nursing and Midwifery Council (NMC) has been hit with a £150,000 data breach fine by the Information Commissioner’s Office (ICO).
The data protection watchdog was forced to act after the Council lost three unencrypted DVDs containing evidence from two vulnerable children for use in a forthcoming misconduct trial.
The discs were thought to have been included in a package of evidence that was being couriered to the hearing venue, but – on opening – they were found to be missing and have never been recovered.
David Smith, deputy commissioner and director of data protection at the ICO, hit out at the NMC for failing to ensure the information on the discs was encrypted.
“Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty,” he said.
In a statement to IT Pro, the NMC said it regretted losing the discs, before expressing disappointment at the ICO's decision.
“We want to reassure the public and all our stakeholders that we recognise the importance of data protection and the need for data security. The cause of the incident is understood to have been an isolated human error,” said the statement.
“Our policy, in place at the time, required encryption. We received the DVDs from the police unencrypted but we failed to encrypt them before we sent them on. We very much regret this and have now corrected our practice.”
Even so, Smith has urged companies to seize on this latest breach to review their own data security procedures.
“I would urge organisations to take the time to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case,” he said.
“If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty,” Smith added.