ICO penalties for not encrypting sensitive personal data
pwt at iosis.co.uk
Fri Oct 26 10:25:58 BST 2012
Smart Card News has today reported:
Penalty Highlights Need for Encryption of Sensitive Data
The Information Commissioner's Office (ICO) is reminding organisations
that sensitive personal information should be encrypted when being
stored and sent electronically.
The news comes as Stoke-on-Trent City Council receives a monetary
penalty of GBP 120,000 following a serious breach of the Data Protection
Act that led to sensitive information about a child protection legal
case being emailed to the wrong person.
Stephen Eckersley, Head of Enforcement at the ICO, said: "If this data
had been encrypted then the information would have stayed secure.
Instead, the authority has received a significant penalty for failing to
adopt what is a simple and widely used security measure. It is
particularly worrying that a breach in 2010 highlighted similar concerns
around encryption at the authority, but the issue was not properly
The breach happened on 14 December 2011 when 11 emails were sent by a
solicitor at the authority to the wrong address. The emails included
highly sensitive information relating to the care of a child and further
information about the health of two adults and two other children. The
emails should have been sent to Counsel instructed on a child protection
The ICO's investigation found the solicitor was in breach of the
council's own guidance which confirmed that sensitive data should be
sent over a secure network or encrypted. However, the council had failed
to provide the legal department with encryption software and knew that
the team had to send emails to unsecure networks. The council also
provided no relevant training.
** end quote **
I am concerned that such a penalty inflicted on a public sector body is
monetary, thus presumably either going back to the Treasury or being
used to fund the ICO. Why not instead require the guilty party to do the
necessary work of disciplining of staff (and if necessary of Elected
Members), training, and provision of the tools, do it quickly, and
demonstrate (to the satisfaction of an inspector) that it has been done?
More information about the ukcrypto