The ICO has fined a history society after a laptop was stolen, containing private information

The Information Commissioner’s Office (ICO) recently fined a Historical Society £500 for a data breach.

The monetary penalty was imposed on a Historical Society after a laptop, containing details of people who had donated or loaned artefacts to the society, was stolen among other things. This happened whilst an employee was working on a laptop from home.

The ICO investigation concluded that the Historical Society had no policies or procedures for employees working from home, encryption, and mobile devices. The laptop in question wasn’t encrypted.

The Historical Society should’ve had procedures in place for homeworking, as the employee allegedly worked from home on multiple occasions.

The penalty notice also details that the breach was ongoing for a period of time until remedial action was taken following the security breach. This adds to the breach that the Historical Society committed as it may have gone on for a long period of time before a remedy was imposed. Along with the matters detailed in the paragraph above, the ICO appear now satisfied to find that the Historical Society was responsible for the breach.

Data controller’s responsibility

The Historical Society, as a data controller, was responsible for keeping the data secure, as well as to comply with all eight data protection principles. The Society failed to adhere to the seventh data protection principle: to keep the private information safe and secure. The relevant provision of the Data Protection Act (DPA) is that:

“appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

By not having safeguards and policies in place, the Historical Society failed to prevent the ‘accidental loss’ of private data.

Censored information

We can’t delve too deep into the circumstances or details of the case as a great deal of the ICO’s monetary penalty notice was censored for legal or security purposes. The censored information includes the date of the incident, the number of individuals affected, and the individual who had the laptop stolen.

The ICO explains:

“…the personal information in this case was so sensitive we can’t give out details of the breach. The historical society knew of the potential consequences of losing the sensitive information and should have taken measures to secure the data.”