Data Encryption Software: Scotland Charity "Enable Scotland" Loses Memory Sticks.

A Scottish charity, Enable Scotland, that works with patients suffering from learning disabilities has admitted to a data security incident.  Two memory stick devices — which was not protected with data encryption like AlertBoot — was stolen from an employee’s home.  The devices contained personal details.  In addition, papers containing personal details were stolen.

101 Individuals Affected

An employee’s home was broken into and the burglary has become Enable Scotland’s problem.  According to the details presented to the Information Commissioner’s Office, two memory stick devices and papers that contained personal data were stolen during the incident.

The 101 individuals are affected, and names, addresses, dates of birth, and personal health data were lost.  The incident occurred in November 2011.

According to, “the ICO investigated and found the charity had breached the Data Protection Act by not deleting the records from the memory sticks once they had been transferred to the charity’s server.”  Which is weird, because I was under the impression that the stolen papers also contained personal information…

So, basically, I don’t see how the server figures in on this.  I mean, certainly, the information ought to have been deleted.  But is that really the reason why the employee had that data in his/her domicile?  Because one forgot to delete the data?  I take it that the forgetfulness also extended to shredding the paper document?

Regardless, of what may have happened, it’s pretty obvious that encryption software should have been used on the flashdrives.

That it didn’t is not so surprising: the ICO’s investigation found that,

found the charity had no guidance for home workers on keeping personal data secure and portable media devices used to store sensitive personal information were not routinely encrypted. [my emphasis]

This is, as far as I know, against the Data Protection Act.  The ICO has previously noted that the use of encryption is mandatory (the ICO representative’s own words) if personal data is being stored.

Related Articles and Sites:

Comments (0)

Let us know what you think