The learning disability charity Enable Scotland has agreed to improve its data protection policies after memory sticks and papers containing the personal details of about 100 service users were stolen from an employee’s home.
The data included people’s names, addresses and dates of birth, and some information about their health.
The memory sticks and papers were stolen from an employee’s home in November. The charity reported it to the Information Commissioner’s Office and told those affected.
An investigation by the ICO, details of which have been published today, found the charity had breached the Data Protection Act by allowing the information to remain unencrypted on the memory sticks, and said the data should have been deleted from the sticks once it had been uploaded to the charity’s server.
The ICO found the charity had no guidance for home workers on keeping personal data secure and portable media devices used to store sensitive personal information were not routinely encrypted.
A spokesman for the ICO said it had decided not to fine the charity because the case did not meet a set of criteria for doing so, which included causing "substantial damage or substantial distress".
Peter Scott, chief executive of Enable Scotland, has signed an agreement to improve the charity’s data protection measures.
Figures from the Office of the Scottish Charity Regulator show the charity had an income of £31m in 2010/11.
Ken Macdonald, the assistant commissioner for Scotland, said: "We are pleased that Enable Scotland has taken action to keep people’s information safe. However, this incident should act as a warning to all charities that they must ensure personal information is handled correctly."
The charity issued a statement that said: "We immediately notified the Information Commissioner’s Office of this theft and supported their investigation. Working with the ICO we have developed and implemented robust policies for the storage and removal of data from the office."