ICO issues encryption warning after council fined for data breach

Generic pcb picture for Your Expert Witness storyThe Information Commissioner's Office (ICO) has reminded public and commercial organisations that sensitive personal information should be encrypted when being stored and sent electronically.

The warning came after Stoke-on-Trent City Council was penalised £120,000 following a serious breach of the Data Protection Act that led to sensitive information about a child protection legal case being emailed to the wrong person.

Stephen Eckersley, Head of Enforcement at the ICO, said: "If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.

"It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.

"The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost."

The breach happened on 14 December last year, when 11 emails were sent by a solicitor at the authority to the wrong address. The emails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The emails should have been sent to counsel instructed on a child protection case.

While the authority was able to establish that the email address used was valid, the recipient failed to respond when asked to delete the emails.

The ICO's investigation found the solicitor was in breach of the council's own guidance, which confirmed that sensitive data should be sent over a secure network or encrypted. However, the council had failed to provide the legal department with encryption software and knew that the team had to send emails to unsecure networks. The council also provided no relevant training.

In reaching the decision on 25 October to levy the penalty, the ICO also took account of the undertaking previously signed by the authority in early 2010. During that incident sensitive data relating to a childcare case was lost after being stored on an unencrypted memory stick. At the time the council agreed to introduce improvements to keep people's data secure, including the introduction of encryption for portable devices used to store personal data.