The Information Commissioner's Office (ICO) repeated the guidance it has previously issued after reporting that two organisations that lost sensitive personal data stored on unencrypted laptops had signed undertakings to improve their procedures.
Under the Data Protection Act organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
The DPA also defines "sensitive personal data" as including personal data relating to an individual's "physical or mental health or condition". Because information about such matters could be used in a discriminatory way, and is likely to be of a private nature, it must be treated with greater care than other personal data, the ICO has said in guidance on sensitive personal data.
The ICO has previously said that all personal data stored electronically should be encrypted if it "would cause damage or distress if it were lost or stolen".
The ICO said that an unencrypted laptop was stolen from a trade union employee's house in May. The laptop contained information on about 100 people who belonged to the Association of School and College Leaders (ASCL) organisation, including some data on the members' mental and physical health, the watchdog said.
The laptop contained software which would have enabled the data to be encrypted, but ASCL had left it to the employee to decide whether or not to use the technology, the ICO said.
Another unencrypted laptop was also stolen from a London school on 1 May. The laptop, which was removed from an unlocked school office at Holly Park school, "contained details of pupils’ names, addresses, exam marks and some limited information relating to their health," the ICO said. Upon investigation the ICO discovered that the school did not have a data protection policy in place at the time.
"The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress - must be encrypted," Sally Anne Poole, acting head of enforcement at the ICO, said.
"This is one of the most basic security measures and is not expensive to put in place - yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily. We are pleased that the Association of School and College Leaders and Holly Park school have taken action to make sure the personal information they collect remains secure.”
The ASCL and Holly Park school signed separate undertakings committing the organisations to encrypt personal data stored on electronic devices when the information is likely to cause damage or distress if lost or stolen. Both organisations have agreed to raise awareness among staff of their data protection policies and to train them on how the procedures should be followed.
The trade union and school have also agreed to regularly monitor compliance with their data protection policies, whilst Holly Park has also committed to ensuring that their "physical security measures are adequate to prevent unauthorised access to personal data, particularly portable devices," the school's undertakings said.