ICO slams charities for data breaches

Two charities have agreed to sign undertakings and update policies

The ICO has slammed several charities for high-profile breaches of sensitive information relating to vulnerable young people.

Sheffield-based Asperger's Children and Carers Together (ACCT) and Nottingham-based charity Wheelbase Motor Project both breached the Data Protection Act by failing to encrypt computers containing the information.

Both breaches occurred when devices were stolen.

ACCT reported a breach after an unencrypted laptop, containing personal data relating to 80 children who attended its sessions, was stolen from an employee's home in December last year.

The laptop was being used to store medication information as well as children's names, addresses and dates of birth.

Wheelbase Motor Project also reported a breach after the theft of an unencrypted hard drive from the charity's offices.

The device contained personal information relating to 50 young people, and included some details about past criminal convictions and child protection issues.

Sally-Anne Poole, acting Head of Enforcement at ICO, said: "The ICO's guidance is clear: any organisation that stores personal information on a laptop or other portable devices must make sure that the information is encrypted.

"Information about young people's medical conditions or criminal convictions is obviously sensitive, and should have been adequately protected.

"We are pleased that both charities have agreed to take the necessary steps to ensure that the personal information they hold is kept secure from now on."

Both ACCT and Wheelbase Motor Project have agreed to sign undertakings
to ensure that all portable and mobile devices used by charity staff to store personal data will be encrypted.

The charities have also agreed to update their existing policies and procedures for the storage and use of personal data, and will make sure that their staff receives appropriate training on how to follow them.