Scottish charity reports data loss because of the unencrypted USB sticks

The personal details of as much as 101 people were lost when two unencrypted memory sticks and papers were stolen from the house of an employee of a Scottish charity.

According to the guidelines Commissioner's Office (ICO), the guidelines from Enable Scotland (Leading the way in which) included peoples' names, addresses and dates of birth, in addition to a limited amount of information with reference to the individuals' health. It reported the incident to the ICO in November 2011 and informed those individuals affected.

The ICO's investigation found that the data must have been deleted from the memory sticks once it have been uploaded onto the charity's server, and that the charity had no specific guidance for home workers on keeping personal data secure. Portable media devices used to store sensitive personal information weren't routinely encrypted.

Ken Macdonald, assistant commissioner for Scotland, said: “Organisations that use memory sticks to store personal information must ensure the devices are properly protected. It is usually important that employers provide home workers with guidance on tips on how to keep any personal data taken outside of the office secure, as here is potentially when the data is most vulnerable.

“We are pleased that Enable Scotland has taken action to maintain people's information safe, however this incident should act as a warning to all charities that they ought to ensure personal information is handled correctly.”
 
Peter Scott, chief executive of Enable Scotland, has now signed an undertaking, committing the charity to improving its compliance with the info Protection Act, this includes ensuring laptops used to store sensitive personal data are encrypted and that tough copy files will only be far from the office when absolutely necessary and may contain the minimum amount of non-public data required. Guidance can also be provided to home workers, to make sure that any personal data taken outside of the office is kept secure.

Chris McIntosh, CEO of ViaSat UK, said: “While it's encouraging that the charity reported the breach immediately and notified the relevant parties immediately, the lack of the information itself was something completely avoidable.

“It is worrying that given the hot spate of knowledge losses, some organisations still shouldn't have a knowledge protection policy in place for his or her workers and that don't regularly encrypted their devices. As more organisations look to endorse remote working, sensitive data ought to be made secure from point to indicate in any other case we can keep seeing many more cases like this emerge in future.”