ICO slams two London housing bodies over USB data stick loss

The memory stick, which was handed in to the police, belonged to a contractor who was carrying out work for Lewisham Homes and had previously also worked for Wandle Housing Association.

According to the ICO, the contractor had copied the information held on the memory stick from both organisations' networks. The device contained details of over 20,000 tenants of Lewisham Homes and 6,200 tenants of Wandle Housing Association.

Almost 800 of the records belonging to Lewisham Homes also contained tenants' bank account details.

Both organisations have agreed to make sure that all portable devices used to store personal information are encrypted. All staff, says the ICO, including contractors, must follow existing policies and procedures on the handling of personal information.

The ICO adds that all employees - including contractors and temporary staff - will also be monitored to ensure they are taking the appropriate measures to keep the personal information they are handling secure.

Sally-Anne Poole, acting head of enforcement with the ICO, said that saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office.

"Luckily, the device was handed in and there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected", she said.

"We are pleased that Lewisham Homes and Wandle Housing Association will now make sure that all contractors follow their guidance on keeping personal information secure", she added.

Industry reaction to news of the ICO's censure of the two associations has been mixed. Nigel Hawthorn, VP marketing EMEA with Blue Coat Systems, hinted at the fact that public bodies are not penalised, other than by censure, noting that this is yet another example of how complacency and data loss can come from all sorts of places.

"The lesson here is to assume that your data will be lost as there is virtually nothing that can be done to address the carelessness of those responsible for your personal information", he said.

Chris McIntosh, CEO of ViaSat UK, who has been vociferous critic of the ICO's penalties for data breaches, said that the incident shows a worrying lack of regard both by the contractors and - by extension - the two associations.

"That the information was lost in a pub just seems to top off this apparent lack of care. This loss demonstrates that when bodies such as housing associations enlist the services of contractors and outside organisations, they must ensure that they obey data protection best practices and can be trusted with sensitive information", he said.

"For their part, contractors that are entrusted with the sensitive details of thousands of third parties through their employers should have far greater regard for data protection", he added.

What’s Hot on Infosecurity Magazine?