ICO fines East Lincolnshire council £80,000 for unencrypted USB stick blunder

The Information Commissioner’s Office (ICO) has hit North East Lincolnshire Council with a fine of £80,000 after it admitted losing information regarding children in its care with special educational needs.
According to the council, an unencrypted memory stick went missing on 1 July 2011 after it was left plugged into a laptop at the council’s offices by a special educational needs teacher. The teacher left the laptop unattended and when they returned, the memory stick had gone and has never been recovered.
The USB memory stick contained sensitive data on 286 children who attended local schools, including notes on their mental and physical health problems and teaching requirements. It also included pupils’ dates of birth and some information on home addresses and their domestic arrangements.
The ICO found that although the council had policies in place since April 2011 that made the use of encrypted USB sticks mandatory, it had no policy for checking that this was being followed by staff. It also did not know if the teacher in question had been trained on data protection requirements.
ICO head of enforcement Stephen Eckersley said that the case underlined once more the importance of basic data protection measures such as encryption.
“Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted,” he said.
“North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented.
In response, council chief executive Tony Hunter apologised to those affected and promised improvements would be made. "This data loss should not have happened and we took immediate steps to try to ensure it does not happen again," he said
"It is important to note that since the data loss, we have made major improvements to our policies, training and procedures to prevent another incident like this happening again."
He also noted that a helpline has been set up - 0800 183 0386 - for those concerned to call and set up an appointment to discuss any issues regarding the incident.
Unencrypted data is the bête noire of the ICO, with the data watchdog making repeated calls to organistaions to ensure all data they hold is adequately protected.