The Information Commissioner’s Office (ICO) has found that the Royal London Mutual Insurance Society breached the Data Protection Act (DPA) after eight laptops, two of which contained the personal details of 2,135 people, were stolen from the company’s Edinburgh offices. The individuals affected were employees of various firms which had sought pension scheme illustrations. The laptops containing the personal information were password protected but unencrypted. An internal report showed that the company was uncertain about the precise location of the laptops at any given time and that physical security measures were inadequate. No additional precautions to control and secure the data had been taken because managers were unaware that personal information was stored on any of the laptops.

The company has now signed an official Undertaking requiring it to ensure that: portable and mobile devices including laptops are encrypted; appropriate physical security measures are taken to prevent unauthorised access to personal data; and all staff are made aware of the company’s policy for storage and use of personal data and appropriately trained in how to follow that policy.

Copies of the Undertaking and the related ICO press release are available.

http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx

http://www.ico.gov.uk/upload/documents/pressreleases/2010/royal_london_17032010.pdf