NY laptop theft breaches no data protection rules

27 Feb 2008

The loss of a laptop containing the files of up to 175,000 Irish blood donors, which was stolen earlier this month in New York, does not constitute a breach of the Data Protection Acts and the encryption on the laptop is sufficient to protect the files, Ireland’s Data Protection Commissioner said today.

Following an investigation into the theft of the laptop from an employee of the New York Blood Centre (NYBC), the Data Protection Commissioner’s office said the NYBC had a proven track record in developing query tools for blood organisations like the Irish Blood Transfusion Service (IBTS).

The IBTS had developed an ongoing relationship with the NYBC and had asked them to develop a query tool for its blood records.

According to the Data Protection Commission, the data was provided in CD form to the NYBC and contained transaction log files from the Progresa electronic logs system used by the IBTS for the period 2 July to 11 October 2007.

The data contained patient names, addresses, email addresses and/or mobile phone numbers. The log files also contain numeric codes for other kinds of information such as attendance at the IBTS or blood-test results performed by the IBTS.

“Importantly, the key for these codes was not on the stolen laptop or on the disks given to the NYBC for the performance of its functions,” the Commission said.

“It is not possible to isolate individual fields in the log files, so it would have been difficult, if not impossible, to have anonymised the files prior to their supply to the NYBC. Accordingly, the amount of personal data supplied to the NYBC for the performance of the contract entered into is not considered excessive in the circumstances,” the Commission said.

“The security protocols used to protect the data when loaded onto the laptop were appropriate to the potential harm that might result from inappropriate access to the personal data in question. We are satisfied, based on the information provided, that the key to the encryption software used on the laptop was not stored anywhere on the laptop or elsewhere.”

The Commission says its investigation has enabled it to conclude that the transfer of the personal data to the NYBC in the US did not constitute a breach of the Data Protection Acts of Ireland.

“It is the conclusion of this Office that the encryption in place on the laptop was sufficient to ensure that there is only the remotest of possibilities of access taking place to the personal data in question.

“Even in such an eventuality, the personal data in question does not contain any sensitive information in relation to any of the identifiable persons,” the Data Protection Commission said in a statement.

By John Kennedy