Scottish Council to improve security after breaching the Data Protection Act

The laptops contained personal details relating to approximately 1,400 individuals, including medical information. Both laptops were password protected and stored in a locked office, but they were not encrypted and no additional physical security measures were in place.

Alistair Dodds, Chief Executive of The Highland Council, has signed a formal Undertaking. By 30 September 2009 the council will ensure that portable and mobile devices containing personal data, including laptops, are encrypted. The council has also agreed to ensure that physical security measures and procedures will be adequate to prevent the theft of devices containing people's personal details.

Ken Macdonald, Assistant Information Commissioner - Scotland, said: 'The stolen laptops contained sensitive personal information, including health records. I urge all councils and their executive teams to ensure that data protection is treated as an important part of corporate governance. Safeguarding sensitive personal information must be embedded in their organisational culture. No public body can afford to take risks with personal details, least of all health records.'

Anyone who processes personal information must comply with eight principles, which make sure that personal information is:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

Related links to this article:
Information Commissioner's Office
A copy of the Undertaking can be downloaded from this link