The Information Commissioner’s Office (ICO) has rapped the Newcastle Youth Offending Team after an unencrypted laptop was stolen, potentially compromising the personal details of 100 young people.
The incident occurred in January this year when a laptop was stolen from the Northumbria home of a contractor who had been working on a youth inclusion programme on behalf of the Team.
The Newcastle Youth Offending Team had failed to encrypt the laptop. The data on it contained names, addresses, dates of birth and the names of the schools the young people attended, the ICO said.
The ICO found that although the Newcastle Youth Offending Team had a contract in place with the contractor it failed to ensure that its employees were complying with necessary security measures.
The organisation has agreed to take reasonable steps to ensure all data processors contracted to act on its behalf comply with the Data Protection Act. It will also ensure all portable and mobile devices, including laptops, are encrypted
Sally-Anne Poole, acting head of enforcement at the ICO, said: "Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure. But, to their detriment, not enough data handlers are making use of it."
"This case also highlights how important it is to ensure that watertight procedures are in place before any work is undertaken by contractors," she added. "Organisations shouldn’t simply assume that third parties will handle personal data in line with their usual standards. I’m pleased that Newcastle Youth Offending Team has learned lessons from this incident and hope that it encourages others to heed our advice."
Chris McIntosh, CEO ViaSat UK, added: "In light of MPs’ desire to see jail time for those dealing in stolen data, both the public and private sector must ensure that the data in their care is fully protected and that users are completely aware of the procedures and risks involved."
"As vital tasks become shared across more and more organisations, it is imperative that bodies such as city councils and youth offending teams control not only their own data protection policies but also those of any contractors. Indeed, data security should form a key part of any contract that is signed and should be monitored rigorously with failure to comply being met with hefty penalties. Otherwise, contractors that show a flagrant disregard for security will be a continuing weak link for a public sector desperately improving its data protection," he added.