A nursing home in Northern Ireland was fined £15,000 by the Information Commissioner’s Office (‘ICO’) when an unencrypted work laptop was stolen from a member of staff’s house during a burglary. The laptop contained personal data relating to 46 members of staff including reasons for sickness absence and information about disciplinary matters. It also contained details relating to 29 residents including their dates of birth, mental and physical health and ‘do not resuscitate’ status.
The ICO drew attention to the fact that although the laptop was password protected (which was a mitigating factor) it was unencrypted. In addition, the employer had no policies in place governing the use of encryption, homeworking or the storage of mobile devices and neither did it provide any (or adequate) security training for its staff.
The Data Protection Act requires data controllers to have appropriate security in place to prevent personal data from being accidentally or deliberately compromised. Employers should:
The ICO has the power to serve a monetary penalty notice if there is a breach of the Data Protection Act, which can be up to £500,000.
For many employers it will be a normal working practice for staff to take laptops or other devices out of the office to work from home and it is important to ensure that personal data is kept secure at all times. The more confidential and sensitive the information, the more important it is to safeguard against unauthorised or unlawful access and accidental loss. Some key learning points from this case for employers are that: