North East Lincolnshire Council receives a monetary penalty after losing hundred’s of children’s details on an unencrypted council memory stick
October 30, 2013 |
The Information Commissioner’s office has served the North East Lincolnshire Council with a £80,000 monetary penalty as a result of a serious data breach involving sensitive information of 286 special needs children. Use of unencrypted memory sticks and data cards in phones pose a continuous problem for data security. In this case the stick, inserted in a laptop at the council’s office, was left unattended and stolen.
The news release (found here) relevantly provides:
The Information Commissioner’s Office (ICO) has served North East Lincolnshire Council with a monetary penalty of £80,000 after a serious data breach resulted in the sensitive information of hundreds of children with special educational needs being lost.
The information was stored on an unencrypted memory stick and has been missing since the 1 July 2011 when the device was left in a laptop at the council’s offices by a special educational needs teacher. When the teacher returned to the laptop the memory stick was gone and it has never been recovered.
The device contained sensitive personal information about the 286 children who attended local schools, including information about their mental and physical health problems and teaching requirements. The device also included the pupils’ dates of birth and some included details of their home addresses and information about their home life.
The ICO’s investigation considered an internal report carried out by the council into the incident, which confirmed that the individuals affected would suffer ill-health due to the loss. While the council had introduced a policy of encrypting portable devices in April 2011, it failed to make sure all of the memory sticks currently being used by staff were encrypted. The council was also unable to confirm if the teacher had received data protection training at the time of the loss.
ICO Head of Enforcement, Stephen Eckersley, said:
“Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted.
North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented.“This breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people’s information is being looked after correctly.”
The Monetary penalty (found here) provides, absent numbering:
North East Lincolnshire Council is the data controller, as defined in section 1(1) of the Act, in respect of the processing of personal data carried on by North East Lincolnshire Council (referred to in this notice as ‘the data controller’).
Following a serious contravention of the data controller’s duty, under section 4(4) of the Act, to comply with the seventh data protection principle, the Commissioner considers, for the reasons set out below, to serve on the data controller notice of a monetary penalty in the sum of £80,000 (eighty thousand pounds).
Statutory framework
Section 4(4) of the Act provides that, subject to section 27(1) of the Act, it is the duty of a data controller to comply with the data protection principles in relation to all personal data in respect of which it is the data controller.
Under sections 55A and 55B of the Act (introduced by the Criminal Justice and Immigration Act 2008 which came into force on 6 April 2010) the Commissioner may, in certain circumstances, where there has there been a serious contravention of section 4(4) of the Act, serve a monetary penalty notice (‘MPN’) on a data controller requiring the data controller to pay a monetary penalty of an amount determined by the Commissioner and specified in the notice but not exceeding £500,000.
The Commissioner has issued Statutory Guidance under section 55C(1) of the Act about the issuing of monetary penalties which is published on the Commissioner’s website. It should be read in conjunction with the Data Protection (Monetary Penalties and Notices) Regulations 2010 and the Data Protection (Monetary Penalties) Order 2010.
This case involves the disclosure of personal data and sensitive personal data. Personal data is defined in section 1 of the Act.
Power of Commissioner to impose a monetary penalty
Section 55A of the Act provides that:(1) The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that –
(a) there has been a serious contravention of section 4(4) [of the Act] by the data controller,
(b) the contravention was of a kind likely to cause substantial damage or substantial distress, and
(c) subsection (2) or (3) applies.
(2) This subsection applies if the contravention was deliberate.
(3) This subsection applies if the data controller –
(a) knew or ought to have known –
(i) that there was a risk that the contravention would occur, and
(ii) that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but
(b) failed to take reasonable steps to prevent the contravention.
Background
On 1 July 2011 an unencrypted USB memory stick containing personal and sensitive personal data was lost on the data controller’s premises. A special educational needs teacher had been working with the information held on the USB stick while using a laptop that was connected to the data controller’s networked computer system. When logging off the system and leaving the office for the day, the teacher forgot to remove the USB stick. When the teacher realised the mistake and tried to retrieve the USB stick, it was gone. To date, the USB stick has not been recovered. The data controller completed an internal investigation in response to the incident.
The teacher worked in the data controller’s Special Educational Needs Support Service in the Children’s Services Directorate (‘the directorate’). The teacher would spend the majority of time away from council offices visiting schools and other community locations. The teacher was not primarily office based and did not have remote access to the data controller’s computer system. Information was saved on the USB stick as it enabled access to necessary data during visits to the different locations. The data controller issued the teacher with the USB stick in 2005.
Following the incident, the data controller carried out a risk assessment for the potential damage and distress to the data subjects. The internal report estimated that the loss of the sensitive personal data is likely to lead to the ill-health of those affected through the disclosure of the data or due to a break in the services which they were receiving. The likely damage and distress to the data subjects is substantial due to the volume of data which has been lost, and that the data subjects are children aged 5 -16, some of whom are deemed vulnerable (and their families). The data subjects were not notified of the data breach.
The data controller introduced an information security policy in March 2011, four months prior to the incident occurring. This policy specifies that removable media (e.g. USB sticks) “must be encrypted”. This policy had been in draft form since 2009. Prior to the introduction of the policy in 2011, the data controller’s previous policy referred to portable devices, such as laptops, but did not detail specific issues about removable media and USB memory sticks.
After the introduction of the information security policy, the data controller asked for volunteers to take part in a ‘removable media pilot’ to test new encryption software. This software automatically encrypts any removable media device placed in a computer on the data controller’s system. At the same time, the data controller offered an ‘encryption on request’ service for removable media. Both of these were presented on a volunteer basis. Prior to these two initiatives, the data controller did not have anything in place to enable staff to comply with the information security policy relating to USB sticks. Following the data loss incident in July 2011, the data controller immediately recalled the unencrypted USB memory sticks in the directorate and erased the data.
The data controller provides e-learning training on the Act and information security. The information security training is part of another training module, which is undertaken by staff to obtain a GCSx email address. The teacher had undertaken the training in order to obtain a GCSx email address prior to the incident, but it cannot be confirmed they had received the Data Protection Act training prior to the incident. The data controller has recognised that staff may not be aware of information security unless they have carried out GCSx training. This training has been reviewed following the incident and it is being launched as a separate module to be communicated to all staff. The training modules were not mandatory. The data controller reviewed this policy following the data loss and the training is now mandatory.
Grounds on which the Commissioner proposes to serve a monetary penalty notice
In deciding to issue this Monetary Penalty Notice, the Commissioner has considered the facts of the case and the deliberations of those within his office who have recommended this course of action. In particular, he has considered whether the criteria for the imposition of a monetary penalty have been met; whether, given the particular circumstances of this case and the underlying objective in imposing a monetary penalty, the imposition of such a penalty is justified and whether the amount of the proposed penalty is proportionate.
Serious contravention of section 4(4) of the DPA
The Commissioner is satisfied that there has been a serious contravention of section 4(4) of the Act in that there has been a breach of the data controller’s duty to comply with the Seventh Data Protection Principle.
The Seventh Data Protection Principle provides, at Part I of Schedule 1 to the Act, that:“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Paragraph 9 at Part II of Schedule 1 to the Act further provides that:“Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to –
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected”
In particular, in this case, the data controller has failed to take sufficient appropriate technical and organisational measures against accidental loss of personal data such as a combination of, training staff on the importance of using encrypted USB sticks; technical controls to prevent downloading on to unencrypted portable media; effective organisational policies and controls; and enabling compliance with those policies and controls. The Commissioner considers that the contravention is serious because the measures did not ensure a level of security appropriate to the nature of the data to be protected and the harm that might result from accidental loss.
The contravention is of a kind likely to cause substantial distress
The Commissioner is further satisfied that the contravention in this particular case is of a kind likely to cause substantial damage and substantial distress for the following reasons:-i) Personal data and sensitive personal data were lost due to the inappropriate technical and organisational measures taken by the data controller.
ii) The data in this case is sensitive. The data, contained in hundreds of files, identifies school children with special educational needs. It constitutes reports about issues of physical and mental health, learning disabilities, home-life, whether the child is deemed vulnerable and teaching strategies for the pupils. The data was current at the time of the loss.
iii) The data subjects would suffer from substantial distress knowing that their sensitive personal data may be disclosed to third parties, even though, so far as the Commissioner is aware, those concerns have so far not materialised. The USB memory stick has not been recovered.
iv) If the data is in fact accessed by untrustworthy third parties then it is likely the contravention would cause further substantial distress and substantial damage to the data subjects such as exposing them to damage to their health, education and personal relationships.
The data controller ought to have known that there was a risk that the contravention would occur, that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to reasonable steps to prevent the contravention
The Commissioner is satisfied that section 55A (3) of the Act applies in that the data controller ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress, but it failed to take reasonable steps to prevent the contravention for the following reasons:-
i) Staff employed by the data controller were used to handling sensitive personal information on a routine basis and the data controller was aware of the sensitive nature of this personal data.
ii) A large amount of personal data relating to pupils had been stored on unencrypted USB sticks since at least 2005. The nature of the teacher’s job required routinely working outside of the secure office environment at different locations which did not have access to the data controller’s network.
iii) The data controller was aware that staff members were routinely downloading information from the network and the data controller would have been aware of the sensitive nature of the personal information being stored on USB sticks.
iv) The data controller identified a requirement for an encryption policy in 2009, policy but this was not implemented until 2011. Despite having identified the risks of using unencrypted USB sticks, the data controller still allowed their use.
v) Following implementation of the Information Security Policy in 2011, the data controller continued to allow staff to use unencrypted USB sticks, in breach of its own policy.
vi) While there was an encryption service available, its use was voluntary. The data controller has accepted that the initial attempt to raise awareness of the encryption service was not adequate.
vii) The data controller therefore knew, or ought to have known, there were inherent risks attached to using unencrypted removable media devices.
viii) The data controller did not take reasonable steps to prevent the contravention such as a combination of training staff on the importance of using encrypted USB sticks; technical controls to prevent downloading on to unencrypted portable media; effective organisational policies and controls; and enabling compliance with those policies and controls.
In the circumstances, the data controller knew, or ought to have known that there was a risk that this contravention would occur, unless reasonable steps were taken to prevent the contravention.
Further it should have been obvious to the data controller that such a contravention would be of a kind likely to cause substantial distress to the data subjects due to the nature of the data involved.
Aggravating features the Commissioner has taken into account in determining the amount of a monetary penalty
Effect of the contravention
The contravention was serious because of the sensitive nature of the personal data involved in the data loss.
The data related to approximately 286 pupils aged 5 -16 with special educational needs; some of whom were considered to be vulnerable children.
- The USB stick has not been recovered.
The data controller is unable to determine whether any unauthorised third parties may have had access to the data.
Although the data controller had a long term plan to eliminate the risks associated with removable media it had failed to implement any effective short term plan to limit the risks.
The data controller considered recalling all the USB sticks but decided against doing so as it did not have a record of the number of sticks in use and could not guarantee the success of a recall.
The data controller continued to issue unencrypted USB sticks for use with non-personal data after the policy was implemented in 2011. Even though it was aware of the inherent risk in continuing to issue these types of memory sticks to staff.
The data controller failed to notify the parents/carers of the data loss, despite its internal investigation report recommending notification.
Mitigating features the Commissioner has taken into account in determining the amount of the monetary penalty
Nature of the contravention
The data controller issued an information security policy in March 2011 requiring the use of encrypted USB sticks.
Effect of the contravention
As far as the Commissioner is aware, there is no evidence that the personal data involved in this incident has been inappropriately accessed.
Behavioural issues
The data controller has taken organisational and technical remedial action in respect of removable media, with a view to preventing a recurrence. Immediate action was taken following the incident to recall the USB memory sticks in the directorate and encrypt them.
Remedial measures were in progress at the time of the incident. The data controller had recognised the risk and was proactively working to avoid an incident.
Other considerations
The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the Act. This is an opportunity to reinforce the need for data controllers to ensure that appropriate and effective security measures are applied to personal data and to review the use of removable media devices, such as USB memory sticks to ensure appropriate and effective encrypted devices are used.
The data controller has now taken organisational and technical steps to eliminate the possibility of a further incident of this nature occurring.
Notice of Intent
A notice of intent was served on the data controller dated 8 August 2013. The Commissioner received written representations from the data controller’s Chief Executive dated 4 September 2013. The Commissioner has considered the written representations made in relation to the notice of intent when deciding whether to serve a monetary penalty notice. In particular, the Commissioner has taken the following steps:
- reconsidered the amount of the monetary penalty generally, and whether it is a reasonable and proportionate means of achieving the objective which the Commissioner seeks to achieve by this imposition;
- ensured that the monetary penalty is within the prescribed limit of £500,000; and
- ensured that the Commissioner is not, by imposing a monetary penalty, acting inconsistently with any of his statutory or public law duties and that a monetary penalty notice will not impose undue financial hardship on an otherwise responsible data controller.
Amount of the monetary penalty the Commissioner proposes to impose
The Commissioner considers that the contravention of section 4(4) of the Act is serious and that the imposition of a monetary penalty is appropriate. Further, he considers that a monetary penalty in the sum of £80,000 (eighty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty.
In reaching this decision, the Commissioner considered other cases of a similar nature in which a monetary penalty has been imposed and the facts and aggravating and mitigating features referred to above.
Of particular relevance in this case is the nature of the personal data lost, the potential for harm and likelihood of distress.