Hard disk containing data on children stolen from council offices (From Watford Observer)
Get involved: send your pictures, video, news and views by texting WO to 80360, or email us
Dacorum Council escapes fine over computer theft
2:32pm Friday 10th February 2012 in News
Dacorum Borough Council has found itself in trouble with an information watchdog after a computer hard drive, containing sensitive information about children, was stolen.
The Information Commission’s Office (ICO has found the authority to be in breach of the Data Protection Act 1998, after the computer was stolen from a council-owned adventure playground in August.
The hard-drive contained approximately 1,000 registration documents of children who have attended the playground in Hemel Hempstead.
The details included name, address, date of birth, school attended, and in some cases a ‘tick-box’ indication as to whether the data subject had any allergies or other conditions relevant to playground attendance.
The ICO’s Information Commissioner Christopher Graham was notified of this breach and following enquiries found that the registration documents were stored on the desktop and not password protected.
The password that had protected the registration document was removed in 2008 when a member of staff left the council and was not restored.
The commissioner further discovered that the council was “unable to fully investigate the circumstances of this breach due to insufficient record keeping between the relevant departments.”
An annual review of the database had also not been performed, resulting in a number of registration documents not being securely deleted in line with the council’s retention policy.
According to ICO’s report, the data controller “acted swiftly to confirm that no other sensitive personal information was exposed to similar vulnerabilities and confirmed that no complaints or reports of adverse consequences from the data loss have been reported”.
Taking this into consideration, the council has not been served with an enforcement notice, which could have resulted in fines of up to £500,000 for breaking UK data laws, but instead signed an undertaking to address issues relating to the breach.
As such, all council staff are to be made aware of the data controller’s policy for the storage, use, transmission and disposal of personal data and are appropriately trained how to follow that policy.
Personal data shall not be kept when it is no longer relevant or required for its original purpose, and shall be disposed of in a secure manner.
The data controller shall implement security measures to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage. Dacorum Borough Council is one of five councils across the country that has been warned to protect their residents’ privacy by the ICO or risk facing fines.
In a statement released by Information Commissioner Christopher Graham today, he said privacy breaches could have a "damaging" impact on individuals.
He said: "Failures not only put local residents' privacy at risk, but also mean that councils could be in line for a sizeable monetary penalty.”
Dacorum Borough Council is yet to respond.
