The Alzheimer’s Society has been publicly reprimanded after it admitted to three separate breaches of the Data Protection Act in 2009.
The Information Commissioner’s Office (ICO) revealed this week that, in the most serious incident, several unencrypted laptops were stolen during a burglary at the charity’s Cardiff office last August.
One of the laptops contained personal details including names, addresses, national insurance numbers and salary details for roughly 1,000 of the charity’s staff.
The laptops had not been physically secured with cable locks or locked away securely.
The Society has now signed a formal undertaking promising to improve security and ensure staff are made aware of its policies for the storage, use and disposal of personal information.
Staff will also receive appropriate training on how to follow these policies.
ICO: 'Portable devices must be encrypted'
Sally-anne Poole, head of investigations at the ICO, said: “A thousand staff members’ details were stored on unencrypted laptops.
“This is unacceptable; portable devices must be encrypted if they are used to store personal information. It is vital that all organisations ensure personal information is handled securely and that appropriate staff have adequate training in this area.”
Ruth Sutherland, acting chief executive at the Alzheimer’s Society, said: “Alzheimer’s Society takes information security very seriously and as soon as we found out about the thefts we reported them to the Information Commissioner’s Office.
“All staff impacted and everyone who works at the Society were also immediately informed.
“Unfortunately the laptops were stolen as they were waiting to be encrypted. However, before the incidents, the Society had already begun rolling out an information governance programme.”