Care provider rapped by UK and Isle of Man data commissioners over lost memory stick

The Information Commissioner's Office (ICO) and the Office of the knowledge Protection Supervisor (ODPS) for the Isle of Man have jointly criticised a care provider after an unencrypted memory stick was lost last year.

Praxis Care, which has offices in Northern Ireland and the Isle of Man, breached both the united kingdom Data Protection Act and the Isle of Man Data Protection Act when the stick, containing personal information when it comes to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost at the island in August 2011.

Some of the knowledge was sensitive and with regards to individuals' care and mental health. The device has not been recovered. However, Praxis has informed all affected individuals in regards to the loss and no complaints was received by the regulators.

Christopher Graham, UK information commissioner, said: “Carrying people's personal information around on an unencrypted memory stick is obviously unacceptable. The indisputable fact that many of the personal details stored at the device were obsolete and so surplus to requirements makes this breach each of the more concerning.

“The ICO will continue to work closely with other data protection regulators where it's clear that an information breach extends across national boundaries.”

Iain McDonald, Isle of Man data protection supervisor, said: “Today's joint action aims to send a transparent message to organisations that a lax attitude to data security aren't tolerated by either the ODPS or the ICO. We can continue to work with regulators in other countries in order for our residents' personal information is protected.”

Marcus Ranum, CSO of Tenable Network Security, said: “The comment that ‘carrying people's personal information around on an unencrypted memory stick is obviously unacceptable' hits the nail at the head. It's pretty obvious that, in case your sensitive data is walking around on USB sticks, there is a risk of it going astray.

“While it's encouraging to work out that regulators are coming down on organisations which are sloppy with their data, CISOs wish to get thinking about the basis explanation for data loss. In case your USB stick is encrypted, it's OK, but why was the info on a USB stick within the first place?

“Instead, organisations with critical data ought to rethink their method to information management and consider how that data is accessed, where it's stored and why. Unless someone needs access to the complete patient or customer database, they wouldn't have permission to view it. Organisations ought to start addressing what number of people have access to critical information and decrease the exposure of knowledge, in any other case this type of breach should be an endless litany.”