Out-Law News 1 min. read
09 Sep 2009, 9:38 am
NHS Education for Scotland (NES) has admitted that the information was stored unencrypted on a laptop. It said that it was not intended that the laptop leave its premises.
Privacy watchdog the Information Commissioner's Office (ICO) has said that it will agree not to take action against the body as long as it encrypts laptops and portable devices likely to contain personal data.
The information on candidates in relation to diversity and equality is likely to qualify as 'sensitive personal data', the ICO said, which means that it earns greater protection from the law.
The information was being used to test the development of a recruitment website and was stored in NES's offices at Ninewells Hospital in Dundee.
It was stolen from there late last year. "NES staff are confident that this office was locked at the close of business on [the day in question]," said the ICO's account. "A police investigation into the incident has proved inconclusive; Tayside Police do not expect any further progress."
The ICO said that for each of the 6,377 people, a database on the laptop contained "summary descriptions of applications for medical training positions, and included information such as the names, addresses, phone numbers and General Medical Council reference numbers of the data subjects. The personal data also included equality and diversity monitoring information".
NES has said that it will encrypt data on devices, train staff on its new practices and improve security measures.
“Password protected laptops are not secure," said Ken Macdonald, Assistant Information Commissioner for Scotland. "I urge all organisations to restrict and encrypt the amount of personal information stored on portable devices that can be taken off site."
"In this case, the stolen laptop contained sensitive personal information including equality and diversity information. If personal details fall into the wrong hands, individuals can experience considerable distress. Safeguarding sensitive personal information is an important principle of the Data Protection Act. This case serves as a reminder that all organisations and their executive teams need to ensure that data protection is treated as an important part of corporate governance," he said.
