The theft of the encrypted laptop – along with 20 unauthorised and unencrypted CDs plus USB sticks – resulted in the childrens' details, which included names, dates of birth, addresses, free school meals eligibility and school attainment records, also being stolen.
The recording of the data in an insecure format was in breach of security policies, said the council, although officials are claiming it was a random, not a targeted, raid and, as a result, there is a low risk that there will be any impact on individuals whose data was lost.
Council officials say that the lost data relates to children who were at a Barnet school in Year 11 over the past three years, aged between 15 and 18.
The theft incident took place around two weeks ago. Since that time officials have been working to contact parents and undertaking a full risk assessment to identify any child protection issues that this breach may have created.
Parents have all been notified, says the council, and a `questions and answers' report has been posted to the council's website.
Barnet council chief executive Nick Walkley, who apologised to those affected, said in a press statement that the incident was a clear breach of the council policies and the member of staff concerned has been suspended.
"We believe the risks attached to this data breach are minimal and the council has taken steps to minimise the risks still further. The council works to help and support children and young people every day and we take these duties extremely seriously", he said.
Infosecurity understands that the council has been in touch with the Information Commissioner's Office (ICO) and that other agencies were notified about the theft soon after it occurred.
Industry reaction to the data loss has been constructive, with Ewen Anderson, managing director at IT consultancy Centralis, saying that, if information security is left up to members of staff to remember to apply encryption to laptops and USB sticks it will inevitably fail, regardless of the good intentions of organisations or their staff.
"Successful security must be policy based and enforced by default – with exceptions either prevented or properly tracked" , he said.
"Keeping data securely within the datacenter rather than allowing it to be downloaded and locally stored remains the best option for any organisation trying to stay out of the press and on the right side of the ICO", he added.
Infosecurity notes that the council – although the affected parents may not agree – was probably fortunate that the incident did not occur after April 6, when new penalties of up to £500 000 can be imposed by the ICO's office, in cases where the organisation is found to be in serious breach of the Data Protection Act.
Jamie Cowper, European marketing director with data encryption firm PGP Corporation, said he's positive about the new penalties, and noted that the ICO, which has long demanded greater powers, will be able to severely punish those in serious breach of the Data Protection Act.
"For too long, organisations have continued to ignore the warning signs – risking both the privacy of their customers and the reputations of their brands", he said.
"The addition of a £500,000 fine, on top of the overall cost of a data breach should in theory provide enough of a financial deterrent for organisations reluctant to invest in their security strategies", he added.
According to Cowper – as PGP's research has shown that as a high percentage (70%) of UK organisations suffered a data breach in the last year – it is clear that the ICO is going to have to couple this new policy with a fresh awareness campaign if organisations are to truly recognise the financial sense of investing in proven technologies, such as encryption.
"Organisations would be well advised to act sooner rather than later, otherwise they may face the daunting prospect of being the first to suffer punishment from an ICO eager to demonstrate its new powers", he noted.
Comments
kapple999 says:
06 April 2010
Encryption is not the be all and end all - the Data Protection Act has always mentioned that data should be adequate relevant and not excessive. Barnet Council has confirmed that the data stored on the CD ROMs and memory sticks included Surname, Forename, Gender, Date of Birth, Address, Postcode, Phone number, UPN (a unique identification number), Ethnicity, free school meals eligibility, in-care indicator, Language, gifted and talented indicator, mode of travel to school, entry date to school, special educational needs indicator, school, attainment data for English, Maths and Science at end of years 6 and 9, attendance rate.
The data is described as being held for statistical purposes comparing trends amongst all students with the school performance of the children with which they were working.
However, I have to ask if it was for purely statistical purposes, why was the data not scrubbed of any identifying information? They could have relied upon their UPN for tracking purposes, and removed Name, Address, Phone Number, perhaps leaving in Date of Birth (would Month & Year have sufficed?) and Postcode?
Moreover, if this data is being collected on behalf of the Department of Children, Schools and Families, have they issued any guidelines, or is it possible that thousands of other schools are doing exactly the same thing, and there is a time bomb ticking away?
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.