Out-Law / Your Daily Need-To-Know

Housing associations promise better data protection after personal information loss

05 Aug 2011, 2:26 pm

Two London borough housing associations have given undertakings to ensure future compliance with UK data protection laws after tenants' personal information was found on an unencrypted memory stick, the Information Commissioners' Office (ICO) has said.

Organisations responsible for holding personal data must secure it from "unauthorised or unlawful processing ... and against accidental loss or destruction of, or damage to, personal data," a principle of the Data Protection Act provides.

The ICO, the UK's data protection watchdog, said that the memory stick, belonging to a contractor who had worked for both housing associations, was found in a pub and was subsequently handed in to police.

The stick contained details of over 20,000 tenants of Lewisham Homes (Lewisham) and 6,200 tenants of Wandle Housing Association (Wandle). Bank details of nearly 800 Lewisham tenants were also contained on the memory stick, the ICO said.

"Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office. Luckily, the device was handed in and there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected," Sally-Anne Poole, Acting Head of Enforcement at the ICO, said in a news release.

The contractor had copied the data onto the memory stick due to problems backing up work on Lewisham's network, according to the undertaking signed by Lewisham (2 page / 19 KB PDF).

Lewisham had no effective measures in place to prevent the use of personal and unencrypted USB devices and did not provide training for contract workers in their data protection policies, the undertaking said.

The undertaking signed by Wandle (2 page / 19 KB PDF) said that the contractor had also copied the data from Wandle 's network onto the stick to work on a laptop computer at home, as he had experienced problems with a remote connection to the association's network.

There was no evidence that Wandle had ever trained the contractor in their IT and data protection policies and procedures, Wandle's undertaking said.

Under the terms of the undertakings both housing associations agree to ensure that all personal portable devices are encrypted and that all staff, including temporary and contract workers, are made aware of the association's data protection policies. Regular monitoring will also take place to ensure that personal information is kept secure, the ICO said.