The Information Commissioners Office (ICO) has reported that a historical society has breached data protection laws when one of its work laptops were stolen.
An employee was using it away from the workplace and had set it down in an undisclosed location when a break-in occurred, and the laptop – among other things – was stolen. The laptop, purchased by the historical society, contained sensitive personal information of artefact donors.
The ICO did not further explain exactly what information this included.
Our Data Protection laws are governed by a set of principles to ensure companies and authorities do everything they can to make sure that, as a data controller, personal information is protected. They need to actively safeguard your information to prevent any third parties illegally accessing or misusing it.
In this case, the ICO reported that the historical society breached the 7th principle:
“Appropriate technical or organisational measures shall be taken against unauthorised/ unlawful processing of personal data and against accidental loss of destruction of, or damage to personal data”.
The ICO condemned the situation for a number of reasons:
The laptop wasn’t encrypted, and because of the nature of the information the device held, it should have been encrypted. Encryption is a basic security measure that can be highly effective. Mobile devices used for work must comply with security protocols to make sure they are secure for use and will remain protected in and out of the office.
The historical society didn’t have any policies regarding people working away from the work place or using devices away from the work place. The environment can be vastly different when working way from home and security protocols must be put in place to make sure that the employee can work to a standard that ensures data protection laws are always complied with.
There was no provision of storage for mobile devices. Similar to above, work mobile devices should be kept safe in the work place when not in use, or whenever possible. The ICO recognises that mobile devices have a high risk of theft, and that the historical society ought to be aware of this too. Following this, there was an unmet expectation that the society should have taken appropriate security measures to prevent the theft, as well as having further safeguards in place for the data should a theft occur.
The ICO’s report further emphasised past enforcement cases where a similar incident happened and that the historical society should have reasonably been aware that they ought to increase their security. The only security measure the society had was that the laptop was password protected.
For the historical society’s shortcomings in providing adequate security for their donors’ personal information, the ICO issued a fine of £500, with consideration of the nature of the organisation’s work.
For the victims who have had their personal information potentially exposed and compromised, there is an option to seek financial compensation for any harm or distress caused.
Start Your Claim
You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.