A cautionary tale for keeping personal data secure

An unencrypted work laptop containing sensitive personal information about staff and residents was stolen from the home of an employee who worked for the nursing home. The ICO found that the nursing home had put its employees and residents at risk by failing to implement policies relating to encryption of the data to make it secure, and homeworking as well as the storage of mobile devices. The employer had also not provided enough data security training to its employees.

The nursing home was able to demonstrate some mitigating factors such as the laptop having a password, and that they reported the matter to the ICO themselves and co-operated throughout the investigation. The employer also rapidly implemented new policies and staff training, but none of that was sufficient for the ICO. The home in this case was fined £15,000, although larger organisations committing a similar offence would be likely to receive a more substantial penalty.

The Data Protection Act governing the relevant law states that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

This means that all organisations which hold personal data of any kind should ensure that they have appropriate measures in place to prevent data from being accidentally or deliberately compromised. Encryption is especially effective to protect data against unauthorised access if the storage device is lost or stolen. Organisations must also have policies in place to keep sensitive and personal data secure, particularly in relation to home working. Of course the policies all need to be implemented and employees should all receive proper training.

This is for guidance only. We recommend that you take legal advice on your particular circumstances.