Another week, another easily prevented data protection breach in the news. This time it is the Glasgow based charity Enable Scotland that is under the spotlight.
From the ICO news release:
A Scottish charity – based in Glasgow – breached the Data Protection Act after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.
The information included peoples’ names, addresses and dates of birth, as well as a limited amount of data relating to the individuals’ health. The charity promptly reported the incident to the ICO in November 2011 and informed those individuals affected.
It appears that, as is so often the case, the charity failed to make its workers aware of good practice advice for maintaining data security and failed to implement some basic technical measures that would have significantly reduced the impact of this incident.
For almost any workforce now, it is a fact of life that your employees will take work home and sensible businesses encourage & enable this to help improve staff work-life balance. With this in mind, it is imperative for organisations to plan and prepare accordingly.
There is very little you can do to prevent a robbery at your employee’s house but you can develop and enforce some simple policies that will reduce the impact for both your organisation and the people whose data you may be processing.
At a minimum, you need to:
- Develop a policy covering work data at home and make all staff aware of its contents.
- Provide technical controls for your employees to enable them to protect the data they process (such as use of free disk encryption tools).
Two easy steps which would eliminate the huge majority of data protection breaches for very little cost.
So far the Information Commissioner has been very tolerant with organisations committing very basic mistakes, and failing to learn from the mistakes of others, this may not go on for ever. Rather than continue to take risks, act now to implement basic controls.