An Isle of Man care provider has committed to encrypting all personal data on portable devices after an employee lost an unencrypted memory stick holding care and mental health information about 150 individuals last year.
Praxis Care, a service provider for people with learning disabilities and mental ill health, breached the UK Data Protection Act and the Isle of Man Data Protection Act when the stick was lost last August.
The Information Commissioner’s Office said Praxis had taken action to improve its data protection practices following a joint ruling by the ICO and the Office of the Data Protection Supervisor for the Isle of Man.
The company has committed to making sure that all portable devices used to store personal data are encrypted and that any personal information that is no longer needed will also be disposed of securely.
The stick held data on 107 residents of the Isle of Man and 53 residents of Northern Ireland. The information about Northern Ireland residents dated from two years earlier, when the employee had worked there. Some of the information was sensitive, and related to individuals’ care and mental health.
UK Information Commissioner Christopher Graham said carrying people’s personal information around on an unencrypted memory stick was“clearly unacceptable.”
“The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.”
The device has not been recovered. However, Praxis informed everybody who might have been affected about the loss and no complaints have been received by the regulators.
Iain McDonald, Isle of Man data protection supervisor, said the joint action in this case sent a clear message that a lax attitude to data security would not be tolerated.
“We will continue to work with regulators in other countries to ensure that our residents’ personal information is protected,” he said.