Rochdale Metropolitan Borough Council has breached the Data Protection Act after losing an unencrypted memory stick containing the details of over 18,000 residents.
The memory stick, lost in May, included, in some cases, residents’ names and addresses, along with details of payments to and by the council.
The device did not include any bank account details. The information had been put on a memory stick to compile the council’s financial accounts.
The memory stick has not been recovered
The ICO’s investigation found that the council’s data protection practices were insufficient. The Council specifically failed to make sure that memory sticks provided to its staff were encrypted.
The council also failed to provide employees with adequate data protection training. As well as requiring the council to put all of the changes in place by 31 March 2012, the ICO will follow up with the council to ensure that the agreed actions have been implemented.
Acting Head of Enforcement, Sally Anne Poole said:
“Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people.
“Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that’s why we will follow up with the council, to ensure they’re doing everything they can to prevent this type of incident happening again.”