The ICO has criticised Enable Scotland, a charity based in Glasgow, after two USB sticks and papers containing personal information were stolen from an employee’s home.
The memory sticks were unencrypted and contained details of up to 101 individuals. The data included names, addresses and dates of birth as well as a limited amount of information related to the individuals’ health.
During its investigation the ICO found that the charity had no procedures in place for home workers on keeping personal data secure. Portable devices containing sensitive personal information was not routinely encrypted, the ICO said.
Furthermore the investigation determined that the information should have been deleted from the memory sticks once it had been uploaded to the charity’s servers.
"Organisations that use memory sticks to store personal information must make sure the devices are properly protected. Encrypting the data means that the information will remain safe even if the device is later lost or stolen," said Ken Macdonald, Assistant Commissioner for Scotland.
"It is also important that employers provide home workers with guidance on how to keep any personal data taken outside of the office secure, as this is potentially when the information is most vulnerable," Macdonald added.
Enable Scotland has now signed an undertaking to improve its compliance with the Data Protection Act (DPA), such as ensuring that all laptops used to store sensitive information are encrypted. Additionally hard copies of documents will only contain the minimum amount of personal information required and will only be taken off-premises when "absolutely necessary."
"This recent data breach is another piece of unwelcome news that, for whatever reason, a complacent approach to data protection still remains among some organisations," said Chris McIntosh, CEO of ViaSat.
"It is worrying that given the recent spate of data losses, some organisations still do not have a data protection policy in place for their workers and that do not regularly encrypted their devices. As more organisations look to endorse remote working, sensitive data needs to be made secure from point to point or else we will keep seeing many more cases like this emerge in future," he added.
