This story via Handsam.
A school from Rochester, Kent has become the first major casualty of the new GDPR regulations. An unencrypted memory stick was lost and later handed in by a member of the public. The stick contained details of their entire student body, including names, ages, SEN details, attainment targets and whether they have English as a first language. Under the new regulations, the school has had to both refer itself to the Information Commissioner’s Office and inform all parents/carers about the breach. This is obviously hideously embarrassing and the pain won’t end there. This is the first opportunity that the ICO has to set a benchmark for fines for serious breaches of the code.
It has to be said that the school did exactly the right thing in the aftermath of the incident, so that may well mitigate the eventual punishment. It will be very instructive to see what follows and the impact it has both upon the school and the staff members concerned.
This is the first opportunity that the ICO has to set a benchmark for fines for serious breaches of the code.
Action Points
- Take immediate action to inform all staff that memory sticks should never contain any personal or sensitive data. Encryption is a security option, but there really should be no need to use them at all. Other methods can be deployed.