Pupil data on stolen laptop
Reporter: Richard Hooton
Date published: 22 April 2011
AN OLDHAM school breached the Data Protection Act after an unencrypted laptop containing the personal information of 90 pupils was stolen.
The Information Commissioner’s Office (ICO) found Freehold Community School in breach after hearing that the computer was taken from the locked boot of a teacher’s car, which was parked at home overnight.
It has ordered the Chadderton school to improve its policies and warned that enforcement action will follow if it happens again.
The school reported the incident to the ICO in January, whose inquiries found that the school was unaware of the need to encrypt portable and mobile storage devices, although it did have a policy in place informing staff that storage devices should not be kept in cars when away from the school premises.
Head teacher Joyce Willetts has now signed an undertaking to ensure that portable and mobile devices, including laptops and other portable media used to store and transmit personal data, are encrypted using encryption software which meets the current standard or equivalent.
Staff will also be trained on how to follow the school’s policy for the storage and use of personal data and the school has agreed that its policies on data protection and IT security issues will be appropriately and regularly monitored.
ICO Acting Head of Enforcement Sally-Anne Poole said: “It is vitally important that organisations take the necessary precautions to ensure that people’s personal information remains secure.
“The fact that the school was unaware of the need to encrypt the information stored on their laptop shows that many organisations continue to process personal information without having the most basic of security measures in place.
“We are pleased that Freehold Community School has taken action to ensure that pupils’ personal information will be better protected in the future.”
Anyone who processes personal information must comply with eight principles of the Data Protection Act, including making sure that it’s secure, accurate and up to date and not kept for longer than necessary.
An ICO spokeswoman said the undertaking is one of the enforcement tools available to stop breaches happening again and action for further breaches could include an enforcement notice - a legally binding document - or court action. For the most serious cases a fine of up to £500,000 can be imposed.
An Oldham Council spokesman said it was up to schools to decide their own policies on encrypting laptops.
