An unencrypted USB stick used by staff at West Berkshire Council has been reported as missing to the Information Commissioner’s Office (ICO), representing the second incident of serious data loss from the authority in 2010.
An ICO source has confirmed that the missing USB device was not protected by encryption or any basic password system. It has also been revealed that the personal information stored on the drive relates to thousands of children living in the region.
Details on the device are known to include the physical and mental condition of the affected youngsters, along with their ethnic origin.
The council had been using encrypted USB drives for the past four years. However, the ICO said that devices pre-dating this security overhaul were still in use, and the missing drive is believed to be one of these older, unencrypted examples.
The ICO found that staff working for the council had not received the training necessary to properly protect the data in their care. It also said that the council was not monitoring data use or ensuring that it was in compliance with government regulations.
A spokesperson for the council said that its chief executive had committed to removing all unencrypted storage devices from circulation and ensuring that future devices cannot be accessed by third parties.
The ICO’s Sally-Anne Poole said that firms and organisations of all types need to take greater precautions when using portable storage solutions, as unencrypted devices cannot protect the data they store in any way, and can easily fall into the wrong hands if lost or stolen.
Ms Poole said that the ICO was pleased with the council’s commitment to changing its policies and tightening its data security relating to portable devices and that the ICO had been suitably convinced that such an event could not easily occur again.
Although the council has reported the loss to the ICO and undertaken the necessary changes, it has not made public information as to how or where the USB drive was misplaced.