ICO raps two organisations after theft of unencrypted laptops

The Information Commissioner's Office (ICO) has again drawn attention to the dangers of using unencrypted laptops to store sensitive data, after two organisations had devices stolen that contained personal information.

In the first case, a laptop owned by an employee of the Association of School and College Leaders was stolen that contained sensitive personal data on around 100 individuals, including details on their physical and mental health.

Even more damning was the fact that, while the laptop had encryption software installed, the decision to encrypt individual documents was up to the employee.

The second incident concerned the theft of an unencrypted laptop from an unlocked office at Holly Park School in Barnet, also in May, which contained pupils' names, addresses, exam marks and some health information.

The ICO also discovered that the school had no data protection policy in place at the time of the theft.

Sally Anne Poole, acting head of enforcement at the ICO, vented the watchdog's frustration with the number of incidents involving unencrypted devices.

"The ICO's guidance is clear: all personal information - the loss of which is liable to cause individuals damage and distress - must be encrypted," she said.

"This is one of the most basic security measures and is not expensive to put in place, yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people's personal information at risk unnecessarily."

Both organisations have now signed undertakings to ensure that devices are encrypted and that employees are fully aware of data protection policies.

The incidents follow the revelation that East Surrey Hospital lost the details of 800 patients stored on an unencrypted USB stick in 2010, in yet another data protection blunder by the NHS.