The London Borough of Sutton has been reprimanded and ordered by the ICO to use data encryption on its laptop computers. The borough lost paper files and two laptops (both of them unencrypted).
The first laptop was stored in a locked cupboard at a children’s hospital ward. The computer contained the personal data of nine children who were being taught by the council.
The second laptop had social care data of 39 people. The computer was stolen from the employee’s home. There is no mention of what type of protection was used (including locked cupboards) if at all.
The use of encryption software like AlertBoot endpoint security software would have meant that the theft of these devices would not have resulted in a data breach. The reason is quite simple: with proper encryption, it becomes nearly impossible to access the data on the protected devices. No access to data means no data breach (although you can’t deny theft has taken place).
As such, the undertaking Sutton has signed with the Information Commissioner’s Office requires that any mobile devices with sensitive information (not just laptop computers) be encrypted.
(I’d like to point out that this may be a little short-sighted. There’s no reason why non-mobile devices, like a desktop computer, couldn’t be stolen as well. When it comes to data security, what’s important is not that a device can be easily stolen but that it can be stolen at all.)
The requirements by the ICO go a little bit further than encryption, though. It also requires that there be adequate physical security, that data retention policies be followed, and that employees have awareness training so they are conscious of the need for good data security practices.
Now, considering that one of the laptops was stolen from a locked cupboard, one has to wonder what “adequate” physical security happens to be. I guess a locked cupboard is as good as it gets in the workplace unless one has storage space specifically designed to be breach-resistant (like a safe). But if it’s going to be so easily broken into, is it “adequate”?
Related Articles and Sites: