Thousands of tenants' details found on memory stick in pub
Two housing bodies breached the Data Protection Act after the details of more than 26,000 tenants – including 800 bank accounts - were discovered on an unencrypted memory stick left in a pub.
The Information Commissioner’s Office found that Lewisham Homes and Wandle Housing Association both breached the act after the memory stick was left in a pub in March by a contractor.
The stick was discovered in the All Inn One pub in Forest Hill, Lewisham, by a member of the public who handed it in to police. There is no suggestion the data was misused.
Details of 20,000 Lewisham Homes tenants and 6,200 Wandle tenants were found on the stick – including the bank account details of 800 Lewisham Homes tenants.
According to ICO undertakings, the device was left there by a contract worker who had carried out a project for the data controller.
The contractor had copied the data onto the stick to work on a laptop from home as he experienced problems with the remote connection to the data controller’s network.
The commissioner found no evidence that the contractor had been trained in the data controller’s policies relating to data protection or IT security.
Both organisations have now agreed to ensure that all portable devices used to store personal information are encrypted, while all staff, including contractors, must follow existing policies and procedures on the handling of personal information.
All staff, including contractors and temporary staff, will also be monitored to ensure they are taking the appropriate measures to keep the personal information they are handling secure.
Sally-Anne Poole, acting head of enforcement at the ICO, said: ‘Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office.
‘Luckily, the device was handed in and there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected.
‘We are pleased that Lewisham Homes and Wandle Housing Association will now make sure that all contractors follow their guidance on keeping personal information secure.’
A spokesperson for Lewisham Homes said: ‘Without our knowledge, one of our contractors took confidential information and put it onto a data stick belonging to the contractor which he subsequently lost.
‘This was in breach of our Data Protection procedures and as a result of this breach the contractor has now been dismissed.
‘We investigated the risk of personal data being lost and are confident that no personal data was compromised as the data stick was immediately handed into the police.
‘We have since reviewed and strengthened our data security measures to ensure that information can no longer be transferred to sticks or other portable devices without encryption.’
A spokesperson for Wandle said: ‘We are very sorry that this incident has occurred and we encourage any of our residents who may be concerned to contact us.
‘Both Wandle and the ICO are confident that personal information about our residents is not in the public domain.
‘However, we have of course learned a very valuable lesson here and we fully accept and take on board the findings of the ICO.
‘We have reinforced all of our data protection procedures, and we are retraining all members of staff to ensure this cannot happen again.’