Brian Pennington

A blog about Cyber Security & Compliance


Christopher Graham

ICO publishes it’s annual report

The Information Commissioner has released its annual report.

Christopher Graham points to the strengthening of his regulatory powers to show how the legislation continues to develop. In the past year, the ICO was given powers to compulsorily audit NHS bodies for their data handling, while forcing a potential employee to make a subject access request for, for example, their spent criminal record was also made an offence. A law change also made it easier to issue fines to companies behind nuisance calls and texts.

Information Commissioner Christopher Graham said:
“It’s thirty years since this office was established in Wilmslow. We’ve seen real developments in the laws we regulate during that time, particularly over the past year. Just look at the EU Court of Justice ruling on Google search results, a case that could never have been envisaged when the data protection law was established.

“Our role throughout has been to be the responsible regulator of these laws. More than that, we work to demystify some of this legislation, making clear that data protection isn’t to be seen as a hassle or a duck-out, but a fundamental right.

“A good example of that is our role in the new data protection package being developed in Brussels. We’ve been asked for our advice, based on our experience regulating the existing law, while we’ve also provided a sensible commentary on proceedings for interested observers.

“That role will continue this year, in what promises to be a crucial twelve months. The reform is overdue, but it is vital that we get the detail right on a piece of legislation that needs to work in practice and to last.”

“It is striking to see how decisions that were so hard fought in the early years have resulted in routine publication of information. Publication of safety standards of different models of cars, for example; or hygiene standards in pubs and restaurants; and surgical performance records of hospital consultants. Publication is now expected and unexceptionable.

“It’s been the ICO’s job to help public authorities to comply with requests,” Mr Graham will say. “The ICO’s role has led to information being released that time and time again has delivered real benefits for the UK.”

“Our Annual Report is our claim to be listened to in the debates around information rights. It shows the ICO knows what it is talking about.”

The ICO annual report reflects on the financial year 2014/15. Key stats include:

  • 14,268 – data protection concerns received
  • £1,078,500 – total CMPs issued, £386,000 of which were for companies behind nuisance calls or texts
  • 195,431 – helpline calls answered
  • 11.4% – rise in number of concerns raised about nuisance calls and texts (to 180,188)
  • 41 – audits conducted of data controllers (as well as 58 advisory visits to SMEs)
  • 1,177 – Information requests responded to
  • 4.9 million – number of visits to our website

The full report can be found here.


Information Commissioners Office provides data protection advice to the legal profession

The Information Commissioner’s Office (ICO) is warning barristers and solicitors to keep personal information secure, especially paper files. This follows a number of data breaches reported to the ICO involving the legal profession.

The ICO can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act provided the incident had the potential to cause substantial damage or substantial distress to affected individuals.

In most cases these penalties are issued to companies or public authorities, but barristers and solicitors are generally classed as data controllers in their own right and are therefore legally responsible for the personal information they process.

In the last three months, 15 incidents involving members of the legal profession have been reported to the ICO. The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty. Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach.

Information Commissioner, Christopher Graham, said:

The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.

“We have published some top tips to help barristers and solicitors look after the personal information they handle. These measures will set them on the road to compliance and help them get the basics right

The ICO has published the following top tips to help barristers and solicitors keep the personal information they handle secure

  • Keep paper records secure. Do not leave files in your car overnight and do lock information away when it is not in use.
  • Consider data minimisation techniques in order to ensure that you are only carrying information that is essential to the task in hand.
  • Where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen.
  • When sending personal information by email consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct.
  • Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it.
  • If you are disposing of an old computer, or other device, make sure all of the information held on the device is permanently deleted before disposal.

The ICO is currently working with The Bar Council to update the Information Security Guidance provided to Barristers in England and Wales.

The original ICO post is here.

UK’s Information Commissioner believes 2013 will the year businesses handle data correctly…!

2013 is the year that commercial imperative of good data handling will be realised

Speaking at the launch of the ICO’s annual report today, Christopher Graham will highlight that consumers have a strong awareness of how their data should be handled, and how this affects their relationship with businesses.

An ICO study into public attitudes toward data protection found that 97% of those surveyed were concerned that organisations would pass or sell-on their personal details. The survey also found more than half (53%) considered details of the products they had bought to be personal information.

Yet in spite of these consumer concerns, only 10% of businesses were aware of the legal limitations of how they could use customer’s personal data.

Information Commissioner Christopher Graham said:

Education and empowerment have been two of the key areas we’ve focused on in the past twelve months. That work is having real benefits: consumers’ awareness of their rights remains strong, and that is empowering people to demand more in return for their data.

“The result is consumers expecting organisations to handle their personal data in a proper way, and in a legal way. Businesses that don’t meet that basic requirement are going to quickly find themselves losing customers.

I think 2013 is the year that organisations will realise the commercial imperative of properly handling customer data. The stats we’ve seen about public concern around personal data show that, as does a company the size of Microsoft choosing privacy as a theme of a national advertising campaign.

“The message to business is simple: consumers understand the value of their personal data, and they expect you to too.

Find the complete report here.

Finally a prosecution of a former employee stealing confidential information

Thousands of people everyday must copy, save or forward information for innocent or mischievous purposes but now there is a quotable case that can be used to deter such risky activities.

A former manager of a health service based at a council run leisure centre in Southampton has been prosecuted by the Information Commissioner’s Office (ICO) for unlawfully obtaining sensitive medical information relating to over 2,000 people.

Paul Hedges took the information hoping to use the data for a new fitness company he was setting up. He was prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates Court yesterday and fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs.

Mr Hedges, who previously worked as a Community Health Promotions Manager based at Bitterne Leisure Centre, sent the information to his personal email account on 28 April 2011 after being told that he was being made redundant. The 42 year-old had previously been responsible for managing the council’s Active Options GP referral service, where patients would be referred by their GP or other health professional to attend fitness sessions, for a range of conditions including obesity, diabetes, arthritis, and cardiac and mild mental health issues.

The information included sensitive medical details relating to 2,471 patients. The council became aware of their former employee’s actions when they received complaints about patients being approached by Mr Hedges; who had since set up a similar service using the Active Options name and branding.

Christopher Graham the UK Information Commissioner was quoted as saying:

People have a right to privacy and the ICO works to maintain that right

Nobody expects that their health records will be taken and used in this way. Mr Hedges had been told by Southampton Council about the need to keep patients’ details confidential, but he decided to break the law.

This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.

The government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.

Information Commissioner’s Office consults on new anonymisation code of practice

The Information Commissioner’s Office (ICO) has begun a public consultation on a new anonymisationcode of practice.

English: Information Commissioner's Office bra...

The code will provide guidance on how information can be successfully anonymised and how to assess the risks of identification. The ICO has also launched a tendering process to establish a network of experts to share best practice around the release of data in an anonymised form.

Anonymisation techniques can convert personal data into a form so that individuals are no longer identifiable. The consultation will be relevant to any organisation that wants to release anonymised data, for example under the government’s open data agenda.

Christopher Graham, Information Commissioner said:

“The UK is putting more and more valuable data into the public domain. The open data agenda will see this process continue and I welcome the power this information gives the average UK citizen to understand how the public sector operates and hold organisations to account.

“However, while the public wants to see openness, they want to see their privacy rights respected too. The risks of anonymisation can sometimes be underestimated and in other cases overstated; organisations need to be aware of what those risks are and take a structured approach to assessing them, particularly in light of other personal information in the public domain.

“Anonymisation can allow organisations to publish or share useful information derived from personal data, whilst protecting the privacy rights of individuals. Our code will aim to provide clear, practical advice on how data can be anonymised. We are now inviting individuals and organisations to submit their views on how this can best be achieved.”

The consultation will play an important role in making sure that the new code achieves the right balance between the protection of individuals’ privacy and the benefits of making information publicly available.

The consultation will remain open for the next 12 weeks, before closing on 23 August 2012. A copy of the draft code and consultation document is available in the consultation section of the ICO website.

A final version of the ‘Anonymisation Code of Practice’ – incorporating any changes recurring from comments received – is due for publication in September.

The code of practice will allow organisations to better achieve compliance against the proposed European Data Protection Act. Read my post Proposed European wide Data Protection Act – a review for further information.

Another alternative to anonymisation is Tokenization which is a recognised solution for PCI DSS. For details of a Free copy of the Tokenization for Dummies eBook click here.


School boy error at a University

How many other people will have done this? Taken a screenshot for training purposes, to demonstrate a technical error, share a section of a document, etc. and how many people have inadvertently included another application, image or data without realising or not thinking it was important.

What ever the reason, if we include Personal information in those screen shots and wrongly share them we could be breaching the Data Protection Act.

This happened at Durham University after disclosing personal information in screenshots used to demonstrate the use of University systems in training material on a website. The information included the details of up to 177 former students and staff.

Steve Eckersley, Head of Enforcement said:

“All documents should be checked for personal information before being made available on a website. This case also highlights the importance of organisations having comprehensive data protection training in place for all staff.

“It is vital that schools, colleges and universities introduce robust systems to handle their pupils’ information on electronic and paper based systems in compliance with the Data Protection Act and we will continue to work with those in the education sector to ensure they are keeping young peoples’ details secure.”

Personal Information is under threat from “social engineering”

This week as uncovered two more breaches of the Data Protection Actafter action was taken by the Information commissioner and the Serious and Organised Crime Agency (SOCA) against individuals who used social engineering for profit.

The more criminal of the two cases involved “private detectives” blagging confidential information for their clients to use.

SOCA defines blagging as “Blagging is the art of bypassing security measures through skilled persuasion and impersonating someone else

SOCA said of the case

SOCA’s focus during the investigation was criminal conspiracy. However in recognition of the fact that the operation might also uncover information relevant to other authorities, SOCA worked in partnership with a number of bodies including the Information Commissioner’s Office. SOCA will now hand over any such information to its partners to determine whether further action is appropriate

The Information Commissioner said:

“The scourge of data theft continues to threaten the privacy rights of the UK population. Whilst we welcome today’s sentencing of the private investigator, Graham Freeman, and his three accomplices, the outcome of the case underlines the need for a comprehensive approach to deterring information theft.  If   SOCA had been restricted to pursuing this case solely using their powers under the Data Protection Act then these individuals would have been faced with a small fine and would have been able to continue their activities the very next day. This is not good enough.

“Unscrupulous individuals will continue to try and obtain peoples’ information through deception until there are strong punishments to fit the crime. We must not delay in getting a custodial sentence in place for section 55 offences under the Data Protection Act.”

In the second example a letting agent tried to obtain details about a tenant’s finances from the Department for Work and Pensions (DWP) was found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.

Pinchas Braun, of Tottenham, was fined £200 and ordered to pay a £15 victim surcharge and £728.60 prosecution costs by Highbury Magistrates.

The ICO’s investigating officers identified the caller as Pinchas Braun. Further enquiries found that Braun worked for a property management and rental business called Manor West Estates and that he was responsible for rent collection. The DWP account that Mr Braun had targeted belonged to one of his employer’s tenants.

Information Commissioner, Christopher Graham, said:

“The Department for Work and Pensions hold important information about each and every one of us. We are very pleased that a DWP staff member was alert to this attempt to blag information and that the call was halted before it was too late.

“The motive behind Mr Braun’s action was financial. He knew that such an underhand method of obtaining the tenant’s personal information was illegal but carried on regardless.

“This case shows that unscrupulous individuals will continue to try and blag peoples’ details until a more appropriate range of deterrent punishments is available to the courts. There must be no further delay in introducing tougher powers to enforce the Data Protection Act beyond the current ‘fine only’ regime,” Mr Graham said.

“The contrast is striking in the penalties available for blagging under the Fraud Act on the one hand and under the Data Protection Act on the other. On the same day, prison sentences were handed down in one court with chicken feed fines being imposed in another – all for the same activity”

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. This also applies to attempts under the Criminal Attempts Act. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

Both examples show how important it is for all organisation to be aware of the threat to their customers from “blagging” or “social engineering” for example in the Braun case above he was unsuccessful because he didn’t know the middle name of the victim.


Is the Information Commissioner having a purge on breaches?

Flag of Cheshire EastIt seems that the Information Commissioner’s Office is releasing, on a daily basis, details of organisations that have breached the Data Protection Act.

Every day some employee has done something they should not have done posted to the wrong place, not used the correct system, etc. which means the common cause is human…

The latest involves Cheshire East Council, who in May 2011 breaches the Data Protection Act when a council employee contacted the local voluntary sector co-ordinator to alert voluntary workers that the Police had concerns about an individual who was working in the area.

Instead of sending an email via the council’s secure system, the employee sent an email to the local voluntary sector co-ordinator via her personal email account. This simple error cost the council £80,000.

Stephen Eckersley, Head of Enforcement, said about the Cheshire East breach:

“While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed. Cheshire East Council also failed to provide this particular employee with adequate data protection training. The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients.

“I hope this case – along with the fact that we’ve handed out over one million pounds worth of penalties since our powers came into force – acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data.”

Two other recent incidents involving the Information Commissioner: 


E*Trade Securities Ltd falls foul of the ICO after losing customer records

In April 2010 E*Trade Securities Ltd discovered that 608 customer records were lost at a UK based storage facility and despite an investigate were unable to recover the records.

E*Trade Securities Ltd did not have a formal agreement to store the customer information securely and subsequently informed Information Commissioner’s office in December 2010.

E*Trade Securities Ltd has now agreed to take action to keep the personal information it holds secure. This includes implementing written agreements with UK contractors storing client personal data on its behalf and making sure that appropriate audit trails are in place to record where client files are being sent and stored at all times.

Head of Enforcement, Steve Eckersley, said:

“This breach was caused by the company failing to have the necessary security measures in place to keep their clients’ information secure. 

“The fact that customer records are being archived in a storage facility and not regularly accessed does not give businesses license to forget about them. This case demonstrates how important it is to stipulate in writing how long personal information needs to be kept, how regularly it should be reviewed and when it can be securely destroyed.”


European Privacy Day 2012 – 28th January

The 28th January will be the European Privacy day for 2012.

Official logo of the European Data Protection ...

The campaign states that “2011 was a year with privacy discussions about Facebook, use of hacking by journalists, use of intelligent CCTV by police forces, use of twitter during urban riots, face recognition, smart houses and smart viewing of houses, and ICT for active ageing.”

The campaign has a the backing off most of Europe’s Data Protection Agencies e.g. the UK’s Information Commissioners Office and the European Data Protection Supervisor.


The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by monitoring the EU administration’s processing of personal data; advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Download the Privacy EDPS booklet here.


The Information Commissioner’s Office’s (ICO) mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. We rule on eligible complaints, give guidance to individuals and organisations, and take appropriate action when the law is broken. You can find out more about us in this section.

To coincide with the European Privacy Day the UK Information Commissioner has launch a campaign called Access Aware which calls on individuals be more careful when accessing Personally identifiable Information (PII).

The Access Aware tool kit can be downloaded here.

Access Aware is one of the first outcomes of the ICO’s information rights priority work. Banking and finance companies as well as health bodies have been identified as the worst performing sectors in relation to handling subject access requests.

  • The most complained about sector are the lenders. In 2010/11, over a third (34%) of completed data protection specific complaints concerning financial institutions were about mishandled subject access requests.
  • In 2010/11, almost half (45%) of data protection specific complaints about health bodies concerned mishandled requests.
  • In the same year, 34% of data protection specific complaints in the policing and criminal justice sector were about subject access.

Speaking on the 27th January 2012, ahead of the Privacy Day, the UK Information Commissioner, Christopher Graham said:

“Organisations that handle personal information need to remember that customer records are not simply their property – the individuals who do business with them also have rights. We are seeing far too many complaints that could easily have been avoided if they’d been given serious and timely consideration.

“The result of mishandling requests is not simply a blip on customer service satisfaction levels, it can cause individuals a great deal of upset. The people who are making these requests are not doing it for fun; the vast majority are seeking resolutions to real problems – such as being refused credit or making important decisions about their health. I hope businesses and bodies that handle personal data use European Data Protection Day as a prompt to think about ways to improve their subject access request handling. Our Access Aware materials have been designed to help them do just that.”


Lose memory stick: go straight to court, do not pass go and do collect damage to reputation…

Praxis Care Limited breached the UK Data Protection Act and the Isle of Man Data Protection Acts by failing to secure Personally Identifiable Information (PII).

An unencrypted memory stick was lost on the Isle of Man in August 2011 and contained personal information relating to

  • 107 Isle of Man residents
  • 53 Northern Ireland residents

Some of the information was sensitive and related to individuals’ care and mental health

Praxis Care Limited has informed all affected individuals about the loss and no complaints have yet been received by the regulators.

Christopher Graham, UK Information Commissioner, said:

 “Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable. The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.

“The ICO will continue to work closely with other data protection regulators where it is clear that a data breach extends across national boundaries.”

Iain McDonald, Isle of Man Data Protection Supervisor, said:

“Today’s joint action aims to send a clear message to organisations that a lax attitude to data security will not be tolerated by either the ODPS or the ICO. We will continue to work with regulators in other countries to ensure that our residents’ personal information is protected.”


Illicit access of medical records leads to a breach of the Data Protection Act

A medical record folder being pulled from the ...
Image via Wikipedia

A receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking has been found guilty of an offence under section 55 of the Data Protection Act (DPA).

Usha Patwal, of Romford, was given a two year conditional discharge and ordered to pay £614 prosecution costs by Havering Magistrates Court after unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking.

The offence was uncovered when Patwal’s sister-in-law received text messages indicating that the texter knew about the medication she was taking.

She then contacted her doctors’ surgery – Gateway Medical Practice, Gravesend, Kent – to express her concerns.

The ICO investigation uncovered that Ms Patwal had made a call to Gateway posing as an employee of the King George Hospital in Romford, Essex, on 29 December 2010.

Further enquiries found that medical information had been faxed to Ms Patwal at the Lawns Medical Centre where she was employed as a receptionist. The fax has never been found and Mrs Patwal did not co-operate with the ICO investigation by giving an explanation for her actions.

Christopher Graham the Information Commissioner said:

“Medical records contain some of the most sensitive information possible. The medical centre’s receptionist was in a position of trust and abused her position for her own personal gain. This case demonstrates just how easy it can be to misuse personal data.

“Ms Patwal used her insider knowledge of the healthcare system to blag this information in an act that she believed would go undetected. The message from this case is clear: if you unlawfully obtain personal information there is always an audit trail, and you could end up in court.”


Clarification given on private email details and the Freedom of Information Act

The Information Commissioner has clarified the Freedom of Information Act’s regulations affecting the storing of personal email address.


  • FOIA applies to official information held in private email accounts (and other media formats) when held on behalf of the public authority. Such information may be exempt and will not necessarily have to be disclosed
  • It may be necessary to request relevant individuals to search private email accounts in particular cases. The occasions when this will be necessary are expected to be rare
  • Adherence to good records management practice should assist in managing risks associated with the use of private email accounts for public authority business purposes

The ICO recommends that, as a matter of good practice, public authorities establish procedures for dealing with such situations. These should outline the relevant factors to be taken into account in deciding whether it is necessary to ask someone to search their private email account for information which might fall within the scope of an FOI request the public authority has received. Relevant factors are likely to include:

  • The focus of the request, indicated by the words used by the requester
  • The subject matter of the information which falls within the scope of the request
  • How the issues to which the request relates have been handled within the public authority
  • By whom and to whom was the information sent and in what capacity (e.g. public servant or political party member)
  • Whether a private communication channel was used because no official channel was available at the time

Key points set out in Information Commissioners the guidance include:-

  • Where a public authority has decided that a relevant individual’s email account may include official information which falls within the scope of the request and is not held elsewhere, it will need to ask that individual to search their account
  • Where people are asked to check private email accounts, there should be a record of the action taken. The public authority needs to be able to demonstrate, if required, that appropriate searches have taken place
  • Although the main emphasis of the guidance is on official information held in private email accounts, public authorities should be aware that the law covers information recorded in any form
  • Public authorities should remind staff that deleting or concealing information with the intention of preventing its disclosure following receipt of a request is a criminal offence under section 77 of the Act
  • It is accepted that, in certain circumstances, it may be necessary to use private email for public authority business. There should be a policy which clearly states that in these cases an authority email address should be copied in to ensure the completeness of the authority’s records

Christopher Graham the Information Commissioner said:-

“It should not come as a surprise to public authorities to have the clarification that information held in private email accounts can be subject to Freedom of Information law if it relates to official business. This has always been the case, the Act covers all recorded information in any form.

“It came to light in September that this is a somewhat misunderstood aspect of the law and that further clarification was needed. That’s why we’ve issued new guidance today with two key aims first, to give public authorities an authoritative steer on the factors that should be considered before deciding whether a search of private email accounts is necessary when responding to a request under the Act. Second, to set out the procedures that should generally be in place to respond to requests. Clearly, the need to search private email accounts should be a rare occurrence; therefore, we do not expect this advice to increase the burden on public authorities.”

Related posts:

Information Commissioner gets tough with the largest fine for the breach of the Data Protection Act

The Freedom of Information Act. Power to the people or a tool for busy bodies?


Information Commissioner fines two councils for emailing personal information

The Information Commissioner’s Office (ICO) has served monetary penalties to two councils for breaching the Data Protection Act.

North Somerset Council and Worcestershire County Council after staff at both authorities sent highly sensitive personal information to the wrong recipients. The news comes as the Information Commissioner is pressing for stronger powers to audit data protection compliance across local government and the NHS.

1. Worcestershire County Council was fined £80,000 for an incident in March 2011 where a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients. The error occurred when the employee clicked on an additional contact list before sending the email, which had only been intended for internal use.

Enquiries by the ICO found that Worcestershire County Council had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists. The council had also failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it. Fortunately, on this occasion all of the unintended recipients worked for registered organisations used to operating within the council’s protocols about handling sensitive data. Worcestershire County Council has explained to the ICO that as soon as the breach occurred the council employee immediately realised their error and attempted to contact all of the unintended recipients to ensure that the information was deleted.

2. North Somerset Council was fined £60,000 for breaching the Data Protection Act when a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.

The incidents, which took place during November and December 2010, occurred when a council employee selected the wrong email address when creating a personal distribution list. The council employee was told about the error by the unintended recipient shortly after the first incident took place. Despite this, information was emailed to the same NHS employee on a further three occasions. The issue was then raised at senior level. Two of the council’s Assistant Directors highlighted the issue with the employee on 9 December but a fifth and final incident took place later that same day. The NHS organisation verbally confirmed to North Somerset Council that it destroyed the emails after their own internal investigation was complete.

The ICO’s enquiries found that, although North Somerset Council had some policies and procedures in place, it had failed to ensure that relevant staff received appropriate data protection training. In response to these incidents, the ICO has recommended that the council adopts a more secure means to send information electronically, including encryption and ensuring that managers sign off email distribution lists.

Information Commissioner, Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.

“There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense. Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”

The ICO is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, if necessary without consent. The same powers are sought for NHS bodies following a series of data protection breaches.


Gambling takes on a new meaning when someone steals your personal information

A former gambling industry worker who unlawfully obtained and sold personal data relating to over 65,000 online bingo players has been found guilty of committing three offences under section 55 of the Data Protection Act.

Marc Ben-Ezra, of Finchley, was given a three year conditional discharge and ordered to pay £1,700 to Cashcade Limited as well as £830.80 costs at Hendon Magistrates Court today.

Information Commissioner, Christopher Graham, said:

“This case shows that the unlawful trade in personal information is unfortunately still a thriving and lucrative activity. Mr Ben-Ezra sold people’s personal details on an industrial scale, making in the region of £25,000 at the expense of the tens of thousands of bingo players whose privacy he compromised, and who he exposed to the nuisance of being approached by rival betting websites and, at worst, the risk of identity theft.

“I am grateful to Cashcade Limited and Gala Coral for their work in exposing this unlawful practice. However, we still don’t have a punishment that fits the crime. The ICO continues to push for the government to activate the 2008 legislation that would allow courts to consider other penalties like community service orders or the threat of prison.”

The offences were first uncovered in May 2011 when Mr Ben-Ezra sent a series of emails to a number of contacts within the UK gaming industry offering customer data for sale. The emails were sent under the pseudonym Malcolm Edwards and contained a sample data set relating to 400 Foxy Bingo customers.

Cashcade Limited, which provides marketing services for the Foxy Bingo brand and is the data controller for its customer information, was concerned and wanted to know how its customer data had been obtained. The company instructed an investigative services company to conduct a test purchase of the data – which contained over 65,000 Foxy Bingo customers’ personal details – and paid Mr Ben Ezra £1,700 cash for it. Cashcade Limited then handed this information to the ICO and co-operated fully with investigators to find out who was responsible.

Cashcade Limited believe that the acquired test data, which did not contain customers’ bank account details, was unlawfully obtained in 2008 and sold to Mr Ben-Ezra, who was working for a poker company in Israel at the time. Attempts by Cashcade to identify the perpetrators of the 2008 breach have so far been unsuccessful but remedial action to prevent a recurrence has been taken. The company is continuing to pursue the other perpetrators.

The data that was acquired contained customers’ names, addresses, email addresses, telephone numbers and usernames. Cashcade Limited has assured the ICO that no customer accounts were compromised.

The email sent to the investigative services company by Mr Ben-Ezra also included customer information relating to 404 Gala Coral customers from 2008. The data controller – Gala Coral Group – has confirmed that they believe that the information was unlawfully obtained from their management information system.

Mr Ben-Ezra was exposed as the individual behind the offences in August 2011 when the ICO’s investigators traced the email address which was found to be registered to the business address of Mr Ben-Ezra’s father-in-law. After enquiries were made at that address, Mr Ben-Ezra contacted the ICO and during his meetings with officers co-operated fully and handed over the laptops containing the data. During an interview under caution he admitted the offences and stated that the practice of buying and selling customer data was widespread during his time working in the gaming industry in Israel. He told officers that he kept the data which he had obtained whilst in Israel and, on moving to London, he sold it as a way of paying off his gambling debts.

The ICO has not received any complaints from the customers on the lists. Foxy Bingo and Gala Bingo have proactively contacted affected customers to assure them that their account information is secure.

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.


Council breaches the Data Protection Act by losing a memory stick

The Municipal Offices of the Metropolitan Boro...

Rochdale Metropolitan Borough Council has breached the Data Protection Act after losing an unencrypted memory stick containing the details of over 18,000 residents.

The memory stick, lost in May,  included, in some cases, residents’ names and addresses, along with details of payments to and by the council.

The device did not include any bank account details. The information had been put on a memory stick to compile the council’s financial accounts.

The memory stick has not been recovered

The ICO’s investigation found that the council’s data protection practices were insufficient. The Council specifically failed to make sure that memory sticks provided to its staff were encrypted.

The council also failed to provide employees with adequate data protection training. As well as requiring the council to put all of the changes in place by 31 March 2012, the ICO will follow up with the council to ensure that the agreed actions have been implemented.

Acting Head of Enforcement, Sally Anne Poole said:

“Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people. 

“Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that’s why we will follow up with the council, to ensure they’re doing everything they can to prevent this type of incident happening again.”


Newcastle Youth Offending Team breached the Data Protection Act after theft of an unencrypted laptop

Newcastle Youth Offending Team breached the Data Protection Act by failing to encrypt a laptop containing personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.

The laptop – which contained personal data relating to 100 young people – was reported stolen from a contractor’s home in the Northumbria area in January. The contractor had been working on a youth inclusion programme on behalf of the Team. The majority of the personal data stored on the laptop included names, addresses, dates of birth and the name of the school the young person attended.

The ICO’s investigation found that, although Newcastle Youth Offending Team had a contract in place with the contractor, there was a failure to ensure that its employees were complying with necessary security measures.

Newcastle Youth Offending Team has stated that it will now take reasonable steps to ensure all data processors contracted to act on its behalf comply with the principles of the Act, including that all portable and mobile devices, including laptops, are encrypted.

Acting Head of Enforcement, Sally-Anne Poole, said:

“Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure. But, to their detriment, not enough data handlers are making use of it. This case also highlights how important it is to ensure that watertight procedures are in place before any work is undertaken by contractors. Organisations shouldn’t simply assume that third parties will handle personal data in line with their usual standards. I’m pleased that Newcastle Youth Offending Team has learned lessons from this incident and hope that it encourages others to heed our advice.” 


Calls for tougher penalties for breaches of the Data Protection Act

In the United Kingdom there is an Act of Parliament that seeks to protect the personal data of its citizens, it is the Data Protection Act 1998 (DPA).

The enforcer of the Act is the Information Commissioner’s Office (ICO). The ICO also has responsibility for other Acts of Parliaments, specifically the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

Within the Data protection Act, anyone who processes personal information must comply with eight principles, which make sure that personal information is:

  1.  Fairly and lawfully processed
  2.  Processed for limited purposes
  3.  Adequate, relevant and not excessive
  4.  Accurate and up to date
  5.  Not kept for longer than is necessary
  6.  Processed in line with your rights
  7.  Secure
  8.  Not transferred to other countries without adequate protection

The Justice Committee has recently produced a report on referral fees and the theft of personal data and concluded that the fines for breaching the Data protection Act needed to be tougher.

Sir Alan Beith, the Chair of the Justice Committee said:

“Using deception to obtain personal information – sometimes known as blagging – or selling it on without permission are serious offences that can cause great harm.

Fines are used to punish breaches of data protection laws, but they provide little deterrent when the financial gain exceeds the penalty.

“Magistrates and Judges need to be able to hand out custodial sentences when serious misuses of personal information come to light. Parliament has provided that power, but Ministers have not yet brought it into force – they must do so.”

Report on the Potential misuses of personal data
Potential misuses of personal data are also not being fully investigated, the MPs warn, because the Information Commissioner does not have the power to compel private sector organisations to undergo information audits. If the Commissioner had been able to compel audits of insurance companies and personal injury lawyers the issues around referral fees might have been identified and tackled sooner.

Sir Alan Beith MP added:

“The Information Commissioner’s lack of inspection power is limiting his ability to identify problems or investigate potential data abuses.

Ministers must examine how to enable the Commissioner to investigate properly without increasing the regulatory burden on business or the public sector.”

Report on Referral fees
The committee welcomes the Government’s commitment to ban referral fees in personal injury cases. The MPs call on Ministers to take into account the fact that referral fees reward a range of illegal behaviour. The report concludes that banning referral fees, together with custodial sentences for breaches of Section 55 of the Data Protection Act, would increase the deterrent and reduce the financial incentives for such offences.

Case studies quoted in the Justice Committee Report:

  1. In one case, a nurse was providing patient details to her partner who worked for an accident management company. A fine was imposed of £150 per offence, but accident management companies pay up to £900 for on client’s details.
  2. A woman whose husband had been jailed for sexual assault accessed the bank account details of the victim. The woman attempted to monitor the victim’s spending and social activities but was only fined £100 per offence.

Information Commissioner, Christopher Graham said:

“The Government should lose no more time in bringing in appropriate deterrent sentences to combat the unlawful trade in personal data. Lord Justice Leveson’s Inquiry into press standards should not be used as an excuse for inaction. The Ministry of Justice still has not given a response to the previous administration’s public consultation of two years ago. We need action, not more words. Citizens are being denied the protection they are entitled to expect from the Data Protection Act.

“We shouldn’t have to wait a further year for the 2008 legislation to be commenced when today’s highly profitable trade in our data has little if anything to do with the press.

“The Commissioner recently called for stronger powers of audit. The ICO is building a business case for the extension of Assessment Notice powers to parts of the private sector such as motor insurance and financial services as well as to the NHS and local government.

“I welcome the support of the Justice Committee”


Students are concerned that information online might affect their careers

42% of Students are concerned that personal information available about them online might affect their future employment prospects, the Information Commissioner’s Office (ICO) said, as it launched its 2011 Student Brand Ambassador campaign.

New figures also show that many students are not adequately protecting themselves against the risk of identity theft.

  • 33% students who have lived at a previous address while at university still haven’t arranged the redirection of all their important post to their current university address
  • 76% haven’t checked their credit rating in the last year
  • 66% have never checked it, allowing suspicious credit applications to go unnoticed

The ICO has launched its 2011 Student Brand Ambassador Campaign, a nationwide project aimed at raising young people’s awareness of information rights.

Students at 15 universities across the UK, including Manchester, Cardiff, Edinburgh and Ulster, have been recruited to promote the ICO’s work on campus. Tasks involve spreading the word using social media, generating local media coverage and doing promotional work.

Information Commissioner, Christopher Graham, said:

“In tough times, young people are clearly less relaxed about privacy, particularly in relation to information that they post online – but many may not know what they can do about it. The Student Brand Ambassador campaign is about arming students with the advice they need to protect themselves from obvious dangers such as identity theft and keeping their social lives private. It’s about empowering young people to take back control of their information and I hope the campaign is embraced by students at universities across the UK.”

All figures, unless otherwise stated, are from YouGov Plc.  The survey’s total sample size was 500 full time university students. Fieldwork was undertaken between 14 and 17 October 2011.


Information Commissioner: Businesses ‘waking up’ to Data Protection responsibilities

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

The Information Commissioner has reported that businesses may be ‘waking up’ to their obligations under the Data Protection Act (DPA) but public confidence in how personal information is being handled continues to decline, the Information Commissioner’s Office (ICO) said today.

Figures published show that nearly three quarters of businesses surveyed now know that the DPA requires them to keep personal information secure. This is up 26% on last year’s figure.

Public confidence has fallen with less than half of those surveyed believing organisations process their data in a fair and proper manner. Concern is particularly high in relation to web-based businesses with almost three quarters of individuals believe that online companies are not keeping their details secure.

Information Commissioner, Christopher Graham said:

“I’m encouraged that the private sector is waking up to its data protection responsibilities, with unprompted awareness of the Act’s principles higher than ever. However, the sector does not seem to be putting its knowledge to good use. The fact is that security breaches in the private sector are on the rise, and public confidence in good information handling is declining. Businesses seem to know what they need to do – now they just need to get on with doing it. It’s not just the threat of a £500,000 fine that should provide the incentive. Companies need to consider the damage that can be done to a brand’s reputation when data is not handled properly. Customers will turn away from brands that let them down.”   

The ICO’s annual track survey looks at information rights issues across the board. Other figures released today show that awareness of citizens’ rights under the Freedom of Information Act is increasing.

    • 90% of public authorities surveyed are aware that individuals have a right to see information.
    • 84% – also agreed that the Act is needed.
    • 24% of respondents were sceptical that the information they’d like to see is actually being made public.
    • Just half of those surveyed are satisfied that information is readily available and accessible.
    • 70% recognise the ICO’s role as the enforcer of the Data Protection Act, the highest awareness level since the question was introduced to the annual survey in 2004.
    • 53% of businesses surveyed now have a clear understanding of the ICO’s role in this area compared with 20% last year, This increase is partly driven by the private sector.
    • 58% more breaches have been reported to the ICO so far in 2011/12 than in the same period last year.
The Information Commissioner, Christopher Graham added:

“This survey highlights the increasing importance of accountability and transparency, and the public’s right to know. Almost all public authorities can see the clear benefits of having freedom of information laws. But more needs to be done to make sure that the right information is being made available since only half of citizens surveyed feel they have easy access to the information they want.”


Blog at

Up ↑

%d bloggers like this: