A youth charity, Fairbridge, has signed an Undertaking with the UK's Information Commissioner's Office, promising to better protect personal information. Among the promises: the use of hard disk encryption like AlertBoot when and where it is necessary.
Fairbridge admitted to data breaches in its Undertaking. In one, a laptop computer was lost at an airport. The laptop contained personal information for 16 employees of Fairbridge, including "appraisals and supervision notes." The laptop was password-protected. In another case, a laptop was left on a bus. The device contained information on 325 employees, including name, address, date of birth, and salary. Neither of the computers were recovered, and neither of the computers used encryption software to protect the data. (Unlike some other organizations, the ICO never makes a mistake of claiming password-protection to be encryption or vice-versa). As the Undertaking points out, "neither...contain any sensitive personal data as defined in section 2 of the DPA [Data Protection Act 1998]." This is the reason why Fairbridge only had to sign an Undertaking, as opposed to paying a monetary penalty.
Fairbridge admitted to data breaches in its Undertaking. In one, a laptop computer was lost at an airport. The laptop contained personal information for 16 employees of Fairbridge, including "appraisals and supervision notes." The laptop was password-protected.
In another case, a laptop was left on a bus. The device contained information on 325 employees, including name, address, date of birth, and salary.
Neither of the computers were recovered, and neither of the computers used encryption software to protect the data. (Unlike some other organizations, the ICO never makes a mistake of claiming password-protection to be encryption or vice-versa).
As the Undertaking points out, "neither...contain any sensitive personal data as defined in section 2 of the DPA [Data Protection Act 1998]." This is the reason why Fairbridge only had to sign an Undertaking, as opposed to paying a monetary penalty.
Despite the lack of sensitive data, Fairbridge has "ensured the encryption of mobile devices that contain personal data" since the data breach. It's a wise and practical move. Nothing is better at protecting data-at-rest than full disk encryption. It's so good at maintaining data secrecy that governments have set up agencies to break it -- such as the NSA in the US and the GCHQ in the UK -- and passed laws to force people to give up their passwords (such as the UK's RIPA). Thankfully, there was no sensitive personal data on the two laptops. But, there is no guarantee that Fairbridge will be so lucky in the future. Once you start storing personal data, the deliberate or accidental storage of sensitive personal data is not too far behind, as experience has shown time and time again.
Despite the lack of sensitive data, Fairbridge has "ensured the encryption of mobile devices that contain personal data" since the data breach. It's a wise and practical move.
Nothing is better at protecting data-at-rest than full disk encryption. It's so good at maintaining data secrecy that governments have set up agencies to break it -- such as the NSA in the US and the GCHQ in the UK -- and passed laws to force people to give up their passwords (such as the UK's RIPA).
Thankfully, there was no sensitive personal data on the two laptops. But, there is no guarantee that Fairbridge will be so lucky in the future. Once you start storing personal data, the deliberate or accidental storage of sensitive personal data is not too far behind, as experience has shown time and time again.
Related Articles and Sites:http://www.ico.gov.uk/what_we_cover/taking_action/~/media/documents/library/Data_Protection/Notices/fairbridge_undertaking.ashxhttp://www.ico.gov.uk/news/latest_news/2012/councils-must-take-data-protection-seriously-information-commissioner-warns-10022012.aspx