A council that used encrypted memory sticks has been handed a reprimand from the Information Commissioner’s Office (ICO) after an employee’s struggle to use the technology resulted in data being lost on an unsecured replacement drive.
According to a release put out by the ICO, Cambridgeshire County Council lost a stick containing case and meeting notes relating to least six ‘vulnerable adults’ in the council’s care, which it reported to the organisation last November.
The highly unusual dimension to this case is that the non-encrypted memory stick had only been used after an employee “encountered problems” using the encrypted one handed out by the Council.
The nature of the problem has not been revealed but underlines the problems organisations can encounter when using potentially complex technologies such as encryption.
If passwords are forgotten, procedures need to be in place to receive a new one quickly. If the drive fails for a technical reason, staff need to have a convenient fallback that doesn’t involve simply using an unsecured replacement.
“While Cambridgeshire County Council clearly recognise the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check their data protection policies are continually followed and fully understood by staff,” said the ICO’s enforcement group manager, Sally Anne-Poole.
In fact the council had undertaken an internal campaign to promote the use of encryption shortly before the loss.
The Council has escaped more serious action by signing up to a public undertaking to improve procedures although it is not clear how this differs from those in place at the time of the drive’s loss.
The case will probably be glossed over by companies that sell products in this field but admins will be well aware of the underlying issues. Encryption can secure data but it can be a complex and time-consuming technology to manage in real-world situations.