The Information Commissioner has rapped British Council knuckles over the loss of staff data in January, reported here. If you look at how the matter was reported by the British Council in January, you could be forgiven for thinking that it was a very minor matter as it refers to “an extract of our payroll information”, “a routine monthly report”. But now we see that what was lost was a great deal more, and more sensitive, than that.
And, as ITPRO tells us today, it wasn’t encrypted. This is an excerpt from the agreement that the British Council has been required to sign:
The data controller did not take its own measures to safeguard the personal data it held on the disc, and in particular failed to ensure that the data was protected by the Government minimum standard of encryption. The Commissioner has taken into account the fact that the personal data in question related to trade union membership and bank account details, and could therefore potentially result in significant distress being caused to the individuals concerned.
The full text will be found here. The truth triumphs, and this time it took only about three months.