Rochdale council loses data on 18,000 residents

03 November 2011

A memory stick holding information on thousands of people has been lost by a council resulting in an "unacceptable" breach of UK data laws, the information regulator has said.

The Information Commissioner's Office (ICO) found that Rochdale Metropolitan Borough Council had lost more than 18,000 residents' details after storing them on an unencrypted device, leading to a breach of the Data Protection Act.

The information, stored on the memory stick to compile the council's financial accounts, did not include bank account details. But it did contain some residents' names and addresses as well as details of payments.

Investigations found insufficient data protection practices at the council, specifically surrounding their failure to encrypt memory sticks. Council employees were also said to have received inadequate data protection training.

The ICO has ordered the council to put necessary changes in place by March 2012, adding it will check improvements have been made. There was no indication a financial penalty will be imposed, but the regulator does have the ability to fine organisations up to £500,000 for serious breaches of UK data laws.

"Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable," said ICO enforcement group manager Sally Anne Poole.

"This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people.

"Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that's why we will follow up with the council, to ensure they're doing everything they can to prevent this type of incident happening again."