North East Lincolnshire Council fined £80,000 for losing data on children with special educational needs

Data was on an unencrypted memory stick that was left in a laptop at the council's offices

North East Lincolnshire Council has been fined £80,000 by the Information Commissioner's Office (ICO) for losing an unencrypted memory stick containing data on children with special educational needs.

The memory stick has been missing since 1 July 2011, after the device was left in a laptop at the council's offices by a special educational needs teacher. When the teacher returned, the USB stick was gone and it has never been recovered.

The ICO said that the device contained sensitive personal information about the 286 children who attended local schools, including information about their mental and physical health issues and teaching requirements. Other data included the students' dates of birth, some home addresses and information about their home life.

The ICO said that it considered an internal report carried out by the council into the incident, which concluded that the individuals affected would suffer ill-health due to the data loss.

North East Lincolnshire Council introduced a policy of encrypting portable devices in April 2011, but it did not ensure that those devices that were already in use had been encrypted. The ICO said that the council did not confirm whether the teacher had received the appropriate data protection training at the time of the loss.

"Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted," said ICO's head of enforcement, Stephen Eckersley.

"North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented," he added.

Eckersley said that all organisations should take note of this incident as a warning and ensure that their data protection policies work in practice.

"Otherwise [the policies] are meaningless and fail to ensure people's information is being looked after correctly," he said.