Greater Manchester Police has been fined by the Information Commissioner’s Office (ICO) after a USB memory stick was stolen in a burglary at a detective’s home. The device contained sensitive personal data relating to crimes and witnesses and was not encrypted or even password protected.
The memory stick included details of over 1,000 people linked to drugs investigations, as well as the identities of serving police officers. The ICO, in levying a fine of £120,000 against the force, pointed out that the information stored on the stick could lead to serious physical harm against the data subjects, should it fall into the wrong hands.
The ICO said that safeguards should have been put in place, such as ensuring the data on the memory stick was encrypted. It pointed out that the nature of the information should have prompted the force to have sufficient measures in place to prevent it being disclosed to an unauthorised individual. It added that the size of the fine was partially a reflection on the “significant failings the force demonstrated”.
This demonstrates how vital it is to have the proper safeguards in place. Removable storage devices should ideally be used as a last resort, due to the ease with which they can be misplaced or stolen. If they are being used to store personal data, they should ideally be encrypted. Many USB sticks on sale include encryption software, although it is relatively straightforward to encrypt data in any event. Remote access using two-step authentication is a preferred method, as it allows people to access data remotely without carrying it on their person.