The information Commissioners office ICO issued a fine to a private nursing home for breach of the Data Protection Act (DPA) 1998 in August 2016.
A Whithehead Private Nursing Home Limited provided an unencrypted laptop to an employee, to which the employee took home.
The laptop contained personal data relating to 46 members of staff and 29 residents of the nursing home. This included their date of birth, mental and physical health status and ‘do not resuscitate’ status. The laptop was subsequently stolen when a burglary occurred at the home of the staff member.
The nursing home had no policies; whether it regarded governing the use of encryption and homeworking or providing staff training for data breaches.
The ICO also found that the nursing home had failed to take proper technical and organisational measures to prevent against the unlawful processing of personal data. Neither did it have any against accidental loss in contravention of the 7th Principles of the DPA had been breached.
The ICO considered that mobile items such as laptops have a high risk of loss and measures should have been in place to prevent the loss. The loss was of a kind to cause distress and the 7th principle of the DPA had been breached. A fine of £15,000 was imposed.
It is not enough to merely password protect your mobile devices. The ICO has issued guidance on mobiles devices and given the high risk of theft or loss associated with laptops, smartphones and tablets. Encrypting the devices can ensure that the threat of unauthorised or unlawful access is minimised.
Whilst the DPA does not specifically refer to encryption, it states that appropriate measures can be taken to secure data. Given that encryption is widely available at a relatively low cost, it is apparent it refers to this.
The ICO even encourages non-mobile devices such as desktop computers and servers to have encryption despite the lower risk of loss or theft. Every circumstance differs, and the level of security you may require will depend on you. Take into consideration the value and level of sensitivity of the information you wish to protect.
Do not wait until a data breach occurs, you could be fined and put your reputation in jeopardy!
For further information please contact Nath Solicitors.