The Information Commissioners Office reports that the data was saved on an unencryped memory stick and went missing when the device was left in a laptop by a teacher. The laptop was being used in the Council's offices. The ICO identified that the device contained information of a personal and sensitive nature relating to over 250 children within the council area and included information about mental and physical health problems and the resultant teaching requirements.
Interestingly the Council's own policy was for staff to use encrypted portable devices - a policy which was introduced 3 months prior to the loss, however the Council were deemed to have failed to ensure that the policy was effectively implemented. The Council were also unable to prove that staff, including the teacher concerned, had received training on data protection.
ICO
Head of Enforcement, Stephen Eckersley, said:
"Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted. North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented.
"This breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people's information is being looked after
correctly."