Information Commissioner's Office
Printable version E-mail this to a friend

Penalty highlights need for encryption of sensitive data

The Information Commissioner’s Office (ICO) is reminding organisations that sensitive personal information should be encrypted when being stored and sent electronically.

The news comes as Stoke-on-Trent City Council receives a monetary penalty of £120,000 following a serious breach of the Data Protection Act that led to sensitive information about a child protection legal case being emailed to the wrong person. 

Stephen Eckersley, Head of Enforcement at the ICO, said:

“If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.

“It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.

“The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost.”

The breach happened on 14 December 2011 when 11 emails were sent by a solicitor at the authority to the wrong address. The emails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The emails should have been sent to Counsel instructed on a child protection case.

While the authority was able to establish that the email address used was valid, the recipient failed to respond when asked to delete the emails.

The ICO’s investigation found the solicitor was in breach of the council’s own guidance which confirmed that sensitive data should be sent over a secure network or encrypted. However, the council had failed to provide the legal department with encryption software and knew that the team had to send emails to unsecure networks. The council also provided no relevant training.

When reaching today’s decision, the ICO also took account of the undertaking previously signed by the authority in early 2010. During this incident sensitive data relating to a childcare case was lost after being stored on an unencrypted memory stick. At the time the council agreed to introduce improvements to keep people’s data secure, including the introduction of encryption for portable devices used to store personal data.  

View Stoke-on-Trent City Council's monetary penalty notice

Details of the additional changes the authority has agreed to introduce are detailed in Stoke-on-Trent City Council's enforcement notice.

The ICO has produced advice on the use of encryption.

Notes to Editors

1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
 
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.
 
4. Anyone who processes personal information must comply with
eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

5. Civil Monetary Penalties are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.

6. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office.

Mobilising excellence in prison operations