Brian Pennington

A blog about Cyber Security & Compliance



Newcastle Youth Offending Team breached the Data Protection Act after theft of an unencrypted laptop

Newcastle Youth Offending Team breached the Data Protection Act by failing to encrypt a laptop containing personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.

The laptop – which contained personal data relating to 100 young people – was reported stolen from a contractor’s home in the Northumbria area in January. The contractor had been working on a youth inclusion programme on behalf of the Team. The majority of the personal data stored on the laptop included names, addresses, dates of birth and the name of the school the young person attended.

The ICO’s investigation found that, although Newcastle Youth Offending Team had a contract in place with the contractor, there was a failure to ensure that its employees were complying with necessary security measures.

Newcastle Youth Offending Team has stated that it will now take reasonable steps to ensure all data processors contracted to act on its behalf comply with the principles of the Act, including that all portable and mobile devices, including laptops, are encrypted.

Acting Head of Enforcement, Sally-Anne Poole, said:

“Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure. But, to their detriment, not enough data handlers are making use of it. This case also highlights how important it is to ensure that watertight procedures are in place before any work is undertaken by contractors. Organisations shouldn’t simply assume that third parties will handle personal data in line with their usual standards. I’m pleased that Newcastle Youth Offending Team has learned lessons from this incident and hope that it encourages others to heed our advice.” 


Information Commissioner’s Office issues third and fourth fines to Ealing and Hounslow Councils over loss of unencrypted laptops

Yesterday saw the second wave of fines from the Information Commissioner’s Office (ICO) over breaches to the Data Protection Act.

After the landmark first cases in November where monetary penalties were issued to Hertfordshire County Council for ‘two serious incidents’ regarding accidentally sent faxes, and to employment services company A4e for the loss of an unencrypted laptop, two more councils have also been fined for the loss of unencrypted laptops.

When talking to customers I often find they deal with legislation and compliance in silos e.g. PCI DSS. The reality is there are common security elements across almost all pieces of legislation and compliance.

A simple way of dealing with the above issue is to ask “how important is the data”. E.g. because of PCI DSS, card holder is important and with the Data Protection Act so is customer data, so why not apply the same levels of protection and controls to both?

Create a free website or blog at

Up ↑

%d bloggers like this: