17 July 2012

Failure to protect data on stolen memory sticks breaches Data Protection Act

A charity that allowed employees to take home unencrypted memory sticks containing personal details of individuals was guilty of Data Protection Act breaches, the Information Commissioner’s Office (ICO) ruled recently.

The details on the memory sticks — names, addresses, birthdays and some health information — had already been transferred from the memory sticks to the charity’s server so there was no need for them to remain on the memory sticks at all.

The ICO said that:

  • The details should have been deleted from the memory sticks once the transfer to the charity’s server had taken place.
  • The charity should have had formal policies about keeping personal data secure, including for employees working at home, and about encrypting data on laptops and other mobile kit, but did not.

The issue came to light when the memory sticks were stolen from an employee’s home. The charity immediately self-reported to the ICO, and notified the individuals whose details had been compromised.

As the numbers affected were limited, and there was no evidence that the thieves had actually accessed the personal data, the ICO did not fine the charity, but required the chief executive to sign an undertaking that it would improve its policies and procedures to ensure compliance with the Act.


All organisations should ensure they have policies for keeping data secure, including deleting it when no longer required, and when it is kept at home by employees.

For more information please contact Mark Lumley at Shulmans on 0113 297 7727 or at mlumley@shulmans.co.uk.