The Information Commissioner's Office (ICO) has reprimanded a Scottish charity for breaching data rules after it two unencrypted USB sticks which stored data on over 100 individuals were stolen from an employee's home.
The information belonged to the charity Enable Scotland, with the devices containing the names, addresses and dates of birth, as well as some health data relating to more than 100 people.
An investigation into the incident by the ICO found that the charity had failed to delete data from the memory sticks once it had been uploaded and that it lacked guidelines for home workers on the best ways to keep personal data secure.
Enable Scotland has signed an undertaking committing it to improve its data handling.
Ken Macdonald, assistant commissioner for Scotland, said the case was a reminder for organisations to put measures in place to protect their data through both encryption and education.
"Organisations that use memory sticks to store personal information must make sure the devices are properly protected. Encrypting the data means that the information will remain safe even if the device is later lost or stolen," he said.
"It is also important that employers provide home workers with guidance on how to keep any personal data taken outside of the office secure, as this is potentially when the information is most vulnerable."
V3 contacted Enable Scotland for comment on the undertaking but had received no reply at time of publication.
Unencrypted USB sticks remain the scourge of the ICO, with numerous charities, the NHS and councils failing to adequately protect data stored on such devices, leading to numerous incidents of data loss.
Chris McIntosh, chief executive of hardware encryption firm ViaSat UK, said the incident was another example of the failure among businesses to understand their obligation to protect personal data, particularly as it is increasingly accessed outside the corporate environment.
"This recent data breach is another piece of unwelcome news that, for whatever reason, a complacent approach to data protection still remains among some organisations," he said.
"As more organisations look to endorse remote working, sensitive data needs to be made secure from point to point or else we will keep seeing many more cases like this emerge in future."
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance