Cambridgeshire County Council breached the Data Protection Act as a memory stick was lost which contained sensitive data relating to vulnerable adults.

The ICO was informed by the Council in November 2010 that an employe had lost an unauthorised and unencrypted memory stick, which they had used to store notes and minutes of meetings relating to the support of at least six individuals. The employee did have an official council encrypted device, but failed to use it after encountering problems.

The incident occurred shortly after the council had undertaken an internal campaign aimed at promoting its encryption policy. During this time employees had been asked to hand in unencrypted devices and were warned about the importance of keeping personal information secure.

Sally Anne-Poole, Enforcement Group Manager at the ICO, said:
“While Cambridgeshire County Council clearly recognise the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check their data protection policies are continually followed and fully understood by staff.

“We are pleased that Cambridgeshire County Council has taken action to improve its existing security measures and has agreed to carry out regular and routine monitoring of its encryption policy to ensure it is being followed.”

A Cambridgeshire County Council spokesman said the member of staff who lost the device had been disciplined and had also been given advice on their professional conduct following a full investigation.

He said: “Cambridgeshire County Council takes the storage of personal data very seriously and has strict procedures on how it should be stored. We apologise that this loss happened and contacted the relevant people as soon as we were made aware. In this case the member of staff did not follow the council’s policy of using a password protected and encrypted memory stick.”