Sunday, 01 March 2015

Thousands of tenants' details found on memory stick in pub

Two housing bodies breached the Data Protection Act after the details of more than 26,000 tenants – including 800 bank accounts - were discovered on an unencrypted memory stick left in a pub.

The Information Commissioner’s Office found that Lewisham Homes and Wandle Housing Association both breached the act after the memory stick was left in a pub in March by a contractor.

The stick was discovered in the All Inn One pub in Forest Hill, Lewisham, by a member of the public who handed it in to police. There is no suggestion the data was misused.

Details of 20,000 Lewisham Homes tenants and 6,200 Wandle tenants were found on the stick – including the bank account details of 800 Lewisham Homes tenants.

According to ICO undertakings, the device was left there by a contract worker who had carried out a project for the data controller.

The contractor had copied the data onto the stick to work on a laptop from home as he experienced problems with the remote connection to the data controller’s network.

The commissioner found no evidence that the contractor had been trained in the data controller’s policies relating to data protection or IT security.

Both organisations have now agreed to ensure that all portable devices used to store personal information are encrypted, while all staff, including contractors, must follow existing policies and procedures on the handling of personal information.

All staff, including contractors and temporary staff, will also be monitored to ensure they are taking the appropriate measures to keep the personal information they are handling secure.

Sally-Anne Poole, acting head of enforcement at the ICO, said: ‘Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office.

‘Luckily, the device was handed in and there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected. 

‘We are pleased that Lewisham Homes and Wandle Housing Association will now make sure that all contractors follow their guidance on keeping personal information secure.’

A spokesperson for Lewisham Homes said: ‘Without our knowledge, one of our contractors took confidential information and put it onto a data stick belonging to the contractor which he subsequently lost.

‘This was in breach of our Data Protection procedures and as a result of this breach the contractor has now been dismissed.

‘We investigated the risk of personal data being lost and are confident that no personal data was compromised as the data stick was immediately handed into the police.

‘We have since reviewed and strengthened our data security measures to ensure that information can no longer be transferred to sticks or other portable devices without encryption.’

A spokesperson for Wandle said: ‘We are very sorry that this incident has occurred and we encourage any of our residents who may be concerned to contact us.

‘Both Wandle and the ICO are confident that personal information about our residents is not in the public domain.

‘However, we have of course learned a very valuable lesson here and we fully accept and take on board the findings of the ICO.

‘We have reinforced all of our data protection procedures, and we are retraining all members of staff to ensure this cannot happen again.’

Readers' comments (6)

  • 'Luckily the device was handed in' - after being carelessly left in pub!. This is a disgrace - not even encrypted. Why are contract workers/contractors (not clear from the article) or anyone taking this information home? Is this part of company policy? Hope the Data Controller has been fired for not ensuring all staff knew about EXISTING policies that were being ignored. 800 bank accounts and highly personal information treated this way is beyond careless - it is totally negligent. And why was the IT issue not sorted out?

    Unsuitable or offensive? Report this comment

  • WHY do people keep using these things for this data!?!

    There shouldn't be much need to take a database of tenant's information outside the office in this format. Doesn't any business use remote working?

    Unsuitable or offensive? Report this comment

  • Mr Reasonable

    "Doesn't any business use remote working?"

    Try re-reading the article Narra :-)

    Unsuitable or offensive? Report this comment

  • ‘However, we have of course learned a very valuable lesson here and we fully accept and take on board the findings of the ICO.

    I would wager they do not and the same will happen somewhere else sooner rather than later.

    Unsuitable or offensive? Report this comment

  • Rick Campbell

    A simple question -- if the person who lost the stick (I lose my walking stick on a regular basis .. and even lost my Zimmer frame twice) had the stick in their pocket/purse/briefcase, then how did it get from there to wherever place it was found (under a table/chair/in the loo/etc.?

    Perhaps, as a punishment, the person who lost the stick should be sent off to the US of A to meet a duke?

    Unsuitable or offensive? Report this comment

  • "Try re-reading the article Narra :-)"

    You are correct. I should have said use it correctly! Copying data onto USB's should not be allowed, they should disable the things in their offices to prevent people 'taking data home'. If the remote working isn't working, either work at work, or don't do it at all.

    Or just ask them not to detour to the pub on the way home...

    Unsuitable or offensive? Report this comment

Have your say

You must sign in to make a comment

sign in register

Newsletter Sign-up



IH Subscription