IT services firm Serco has apologised and agreed to pay costs after one of its laptops, containing sensitive data on more than 16,000 Worcestershire council staff, was stolen.
The laptop, which contained names, addresses, national insurance and bank account details of 39 percent of the staff and former employees paid through Worcestershire County Council’s payroll, was stolen in a street robbery last month.
The council has notified 16,200 individuals that their data may be at risk, including school staff and a small number of employees at the council’s partner agencies.
Serco is building a new integrated human resources and payroll system for the council to replace a 15-year-old mainframe-based payroll system. The new system, based on SAP enterprise software, is due to go live next month.
But in a report to the council’s cabinet, financial services director Mike Weaver confirms that the sensitive data should not have been kept on the laptop, describing the security breach as “regrettable and entirely avoidable.”
A joint investigation by the council and Serco found that “an employee of Serco, whilst wholeheartedly committed to the task in hand, allowed sensitive data to be inappropriately stored, contrary to Worcestershire County Council and Serco’s expectations,” Weaver’s report says.
It adds: “Serco apologises unreservedly to the County Council, its partner agencies and staff for the loss of the data and the circumstances surrounding its loss.”
The incident had resulted in unplanned costs “which in due course will be reimbursed by Serco,” the report confirms.
The IT services supplier will also be “reinforcing its security procedures throughout the organisation.”
A spokesperson for Worcestershire said the authority was “not completely sure of the level of encryption” on the stolen laptop, “but our understanding is there was security on the machine”.
Adrian Gregson, branch secretary of Worcestershire Unison, the council workers’ union, said he was concerned that the data had been taken off-site “by someone who was not an employee of the County Council.” He said: “We want to be sure the council amends its procedures to make sure that doesn’t happen.”
Procedures were also needed to make sure that council staff who used laptops as part of their work were “not at any risk either in person or with the information they carry around,” Gregson added. “Things need tightening up really.”
A Serco spokesperson declined to comment.
Serco Group announced profits of £107 million for 2006, up 38% on the previous year, in its preliminary results last month.