Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Data Protection Act

Who breached the Data Protection Act in the first half of 2013?

As we have passed the first half of 2013, I thought it would be a good time to publish the entire list of who fell foul of the UK Data Protection Act and were punished by the Information Commissioner (ICO).

There are three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practice and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are paid to HM Treasury and not to the ICO. Many argue that the ICO would be a stronger body if it had more money and penalties is a good way to generate more revenue – a self funding government department.

  • 12 July 2013 NHS Surrey. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.
  • 8 July 2013 Tameside Energy Services Ltd. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.
  • 18 June 2013 Nationwide Energy Services and We Claim You Gain. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.
  • 13 June 2013 North Staffordshire Combined Healthcare NHS Trust. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
  • 7 June 2013 Glasgow City Council. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
  • 5 June 2013 Halton Borough Council. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.
  • 3 June 2013 Stockport Primary Care Trust. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.
  • 20 March 2013 DM Design Bedroom Ltd. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.
  • 15 February 2013 Nursing and Midwifery Council. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
  • 24 January 2013 Sony Computer Entertainment Europe Limited. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. They failed in their bid to appeal.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 16 July 2013 Janet Thomas. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website
  • 9 July 2013 Health & Care Professions Council (HCPC). An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.
  • 12 June 2013 (issued 10 September 2012) Bedford Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.
  • 2 June 2013 (issued 18 September 2012) Central Bedfordshire Council. An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.
  • 31 May 2013 Leeds City Council. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.
  • May Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 21 May 2013 (issued 9 November 2011) News Group Newspapers. An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.
  • 26 April 2013 The Burnett Practice. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.
  • 4 April 2013 East Riding of Yorkshire Council. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.
  • 25 January 2013 Mansfield District Council. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.
  • 16 January 2013 Prospect. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.

Prosecutions

  • 23 May 2013 A former manager of a health service based at a council-run leisure centre in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to over 2,000 people.
  • 8 April 2013 A Hertfordshire estate agent has been prosecuted under section 17 of the Data Protection Act after failing to notify with the ICO.
  • 12 March 2013 A former receptionist at a GP surgery in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife.

Also read

Irish Data Protection Commissioner publishes his 2012 Annual Report

This week sees the Irish Data Protection Commissioner, Billy Hawkes, release his annual report for 2012.

The report summarises activities of the Commissioner’s Office during 2012 and like his UK counter part focuses on investigations and audits undertaken and provides a commentary on the impact of European and International Data Protection activities.

As with the UK the use and sharing of personally identifiable information (PII), especially in the public sector has been a major issue.

The Commissioner accepts that data sharing can bring benefits in terms of efficient delivery of public services but cautions that it should be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason. Appendix 4 of this year’s report contains the full audit report carried out by the Office of external public agency access to the Department of Social Protection INFOSYS database* which uncovered significant breaches of the data protection legislation in relation to access to and governance of personal data

In the 2011 Annual Report the Commissioner drew attention to the increased demand on the resources of the Office. The Commissioner in his 2012 report points to the Government’s response by providing additional staffing and funding to the Office. In addition, the Government has also given a commitment to keep the resourcing of the Office actively under review to ensure that any additional resources required will be made available. The Commissioner acknowledges that his Office is now well placed to discharge its current statutory responsibilities. Given the likely increased role for the Office, which will emerge from the new “one-stop-shop” arrangement being proposed at EU level for oversight of multi-national companies, the Commissioner welcomes the commitment to ongoing review of further resource requirements.

Complaints:

During 2012, the Office opened 1,349 complaints for investigation, exceeding last year’s record high number with an increase of 188. Complaints from individuals in relation to difficulties gaining access to their personal data held by organisations accounted for just under one-third of the overall complaints investigated during 2012. There was a marked increase in the number of complaints under the Privacy in Electronics Regulations during 2012 (up from 253 in 2011 to 606 during 2012).

The report includes case studies of a number of specific investigations including:

  • Prosecution of three Insurance Companies for Data Protection Registration offences after social welfare data, sourced via a private investigator, was found on insurance claim files held by those companies.
  • Prosecution of a number of companies for unsolicited marketing offences
  • High Court ruling that Dublin Bus must supply copy of CCTV footage requested under the right of access

Breakdown of complaints

Electronic Direct Marketing 44.93% 606
Access Rights 32.77 448
Disclosure 7.86% 106
Unfair Processing of Data 2.59% 35
Unfair Obtaining of Data 0.96% 13
Use of CCTV Footage 2.37% 32
Failure to secure data 2.59% 35
Accuracy 1.41% 19
Excessive Data Requested 1.78% 24
Unfair Retention of Data 1.26% 17
Postal Direct Marketing 0.74% 10
Other 0.74% 10
TOTALS 100.00% 1349

Number of complaints since 2003

Year Complaints Received
2003 258
2004 385
2005 300
2006 658
2007 1037
2008 1031
2009 914
2010 783
2011 1161
2012 1349

Data Breach Notifications

During 2012, the Office dealt with 1,666 personal data security breach notifications. This is again an increase in the numbers dealt with compared to previous years. Of the 1,666 notifications received, it was found that 74 cases were not deemed to be personal data security breaches on the part of the data controller making the notification. This was due to either appropriate security measures, such as encryption, being in place to protect the data or to individuals failing to update their contact details with the data controller, resulting in letters issuing to an incorrect address. A total of 1,592 valid data breach notifications were therefore recorded. This is an increase of over 400 on last year.

The introduction, in July 2011, of S.I. 336 of 2011 made it a legal requirement for telecommunication companies and Internet Service Providers (ISPs) to notify this Office, without undue delay, of a data security breach and to also notify affected individuals of such a breach. In September 2012, two telecommunications companies were prosecuted for failing to meet their legal obligation in this regard. In the first full year of S.I. 336 being in effect, a total of 60 data security breach notifications were received from Telecommunications companies and ISPs.

Due to the year on year increase in the number of data security breach notifications received by the Office, additional resources were allocated to the area. A Technology Advisor has also been appointed to allow the Office properly investigate the more complex Information Technology (IT) related matters that are brought to its attention. During 2012, we have taken a more proactive stance in relation to potential data security breaches and have initiated investigations into matters that have been identified through mention in areas such as social media sites.

While the complexity of certain data security breaches increases, it is the more mundane situation of correspondence being issued to an incorrect address that continues to account for the largest percentage of data security breaches. Over two thirds of all breach notifications received by the Office involved letters being issued by post, either to an incorrect address or containing a third party’s personal data.

The annual report includes a number of “case studies” detailing specific organisations who sustained breaches.

Privacy Audits:

In the course of 2012, 40 audits and inspections were carried out by this Office. This is an increase on the previous year – 2011 – in which 33 audits were completed in total. Included in the list of the audits/inspections, is the INFOSYS investigation which, although initially a ‘desk audit’, eventually led to a large number of meetings and visits to agencies within the public sector who had access to INFOSYS.

Examples of who was audited is below:

  • O2
  • An Garda Síochána
  • Facebook-Ireland (follow-up review)
  • Ulster Bank (reporting procedures with the Irish Credit Bureau)
  • Permanent TSB (reporting procedures with the Irish Credit Bureau)
  • National Irish Bank (reporting procedures with the Irish Credit Bureau)
  • Bank of Ireland (reporting procedures with the Irish Credit Bureau)

The report is 127 pages long with almost 80% focusing on specific case studies. It make interesting reading. The full document can be found here.

.

Lack of guidance on BYOD raises data protection concerns

The UK Information Commissioner’s Office (ICO) has commissioned a survey into business attitudes towards Bring Your Own Device (BYOD).

The survey results shown many employers appear to have a ‘laissez faire’ attitude to allowing staff to use their personal laptop, tablets or smartphone for at work and for work business, which may be placing people’s personal information at risk.

The survey, carried out by YouGov, reveals that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But less than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices.

Simon Rice, Group Manager (Technology), said:

The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely. While these changes offer significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure.

“The cost of introducing these controls can range from being relatively modest to quite significant, depending on the type of processing being considered, and might even be greater than the initial savings expected. Certainly the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach. This is why organisations must act now.

“Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider. For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?

Today’s guidance from the ICO explains how organisations need to be clear on the types of personal data that can be processed on personal devices and have remote locate and wipe facilities in place so the confidentiality of the data can be maintained in the event of a loss or theft.

Key recommendations from the ICO’s guidance:

  • Be clear with staff about which types of personal data may be processed on personal devices and which may not
  • Use a strong password to secure your devices
  • Enable encryption to store data on the device securely
  • Ensure that access to the device is locked or data automaticaly deleted if an incorrect password is input too many times
  • Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all
  • Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft

The survey results below shows that email is the most common work activity carried out on a personal device (55%) which consider what information can be in the body of an email or attached leaves an organisations open to many commercial, legislative and regulatory risks for example PCI DSS compliance.

All UK Adults online who use a smartphone, laptop or a tablet PC for work purposes access usage
Work email

55%

Accessing work files

35%

Storage   of work documents and work files

36%

Social networking (e.g. LinkedIn, Twitter, Facebook) for work

26%

Editing work documents

37%

Uploading   work information to a website

19%

Work video chat (e.g. skype etc.)

7%

Work related applications (Apps)

16%

Work related online banking

14%

Work related shopping

12%

Work related web browsing

35%

Other

22%

None of these

.

Nursing and Midwifery Council fined for breaching the Data Protection Act

The Information Commissioner’s Office has issued a £150,000 fine to the Nursing and Midwifery Council was for breaching the Data Protection Act. 

The Nursing and Midwifery Council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. 

In October 2011 the DVDs, containing confidential information, was sent to a misconduct hearing via a courier and when the package arrived at the hearing the DVDs were missing and have never found 

After an investigation by the ICO it was found the information was not encrypted. 

David Smith, Deputy Commissioner and Director of Data Protection, said:

It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again. While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected. 

I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case? 

If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty.

The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered. 

The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.

.

The Prudential is fined £50,000 for breaching the Data Protection Act

The UK’s Information Commissioner’s Office (ICO) has fined the Prudential £50,000 after an administrative error in two accounts that led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account.

This is the first monetary penalty served by the ICO that doesn’t relate to a significant data loss.

The original error, in March 2007, was caused when the records of both customers, who share the same first name, surname and date of birth, were mistakenly merged.

The problem was eventually resolved in September 2010. This was despite the company being alerted to the mistake on several occasions, including a letter from one of the customers in late April 2010 which clearly indicated his address had not changed for over 15 years. The company failed to investigate thoroughly at this point and the penalty imposed today relates to the inaccuracy then present which continued for a further six months.

Stephen Eckersley, ICO Head of Enforcement, said:

“Organisations must make sure the information they hold on their customers’ files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved.

“This case would be considered farcical were it not for the serious sums of money involved.”
Last year the public made more complaints about the way money lenders were handling their information than for any other sector. Around 15% of the almost 13,000 data protection complaints received by the ICO during the last financial year were due to concerns relating to this group, with inaccurate data the third most complained about issue across all sectors.

Commenting on the ICO’s concerns in this area, Stephen Eckersley continued:

“While data losses may make the headlines, most people will contact our office about inaccuracies and other issues relating to the misuse of their information. Inaccurate information on a customer’s record, particularly when the record relates to an individual’s financial affairs, can have a significant impact on someone’s life.

“We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate. Staff should also receive adequate training on how to manage and maintain them, with any concerns fully investigated in order to ensure problems are addressed at an early stage.”

Prudential has committed to staff training and an improvement in processes to ensure that the accuracy of customers’ records is maintained at all times.

 .

Overall the UK needs to improve its approach to the Data Protection Act

The Information Commissioner’s Office (ICO) has published its audits for of the UK’s four largest sectors and whilst it was positive about the approach of the Private Sector it raised concerns about the Public Sector.

The audit reports (below) summarise the outcomes of over 60 ICO audits carried out in the private, NHS, local and central government sectors.

Announcing the reports, Louise Byers, Head of Good Practice, at the ICO said:

“We have been providing free audits to help organisations look after the personal information they collect and publishing the results for two years now. During this time we have seen some innovative and well thought out approaches to keeping people’s personal information secure and complying with the Data Protection Act. Today’s reports allow for this knowledge to be shared, while raising areas of continued concern.”

Each report provides a summary of the level of assurance the organisations in each sector have provided during their audit, along with relevant examples of good practice and existing areas for improvement. The audits were all carried out between February 2010 and July 2012.

Within the private sector, the ICO had a high level of assurance that 11 out of the 16 companies audited had policies and procedures in place to comply with the Act. This included having robust security measures in place and providing thorough training for their staff.

Commenting on the report for the private sector, Louise Byers continued:

“The private sector organisations we have audited so far should be commended for their positive approach to looking after people’s data. However this does not mean that businesses in the UK should rest on their laurels. We are still seeing relatively few companies agree to an ICO audit and further improvements can be made, particularly when it comes to the retention and deletion of data.”

In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.

Louise Byers continued:

“While the NHS and central government departments we’ve audited generally have good information governance and training practices in place, they need to do more to keep people’s data secure. Local government authorities also need to improve how they record where personal information is held and who has access to it.

“The results of these reports show why we have requested an extension to our compulsory audit powers to cover the NHS and local government sectors. Organisations in these areas will be handling sensitive information, often relating to the care of vulnerable people. It is important that we have the powers available to us to help these sectors improve.”

Good Practise Audit outcomes analysis NHS – February 2010 to July 2012 

Good Practise Audit outcomes analysis Local authorities – February 2010 to July 2012

Good Practice Audit outcomes analysis Central Government – February 2010 to July 2012

Good Practice Audit outcomes analysis Private sector – February 2010 to July 2012

.

Information Commissioner publishes guidance on cloud computing

The UK’s Information Commissioner’s Office (ICO) has published guidelines to on how business treat personal information in the cloud whether that is a private or public cloud.

The data protection regulator ICO is concerned that many businesses do not realise they remain responsible for how the data is handled whilst it is in the cloud.

This has resulted in the ICO publishing a guide to cloud computing, to help businesses comply with the law.

The guide gives tips including:

  • Seek assurances on how your data will be kept safe. How secure is the cloud network, and what systems are in place to stop someone hacking in or disrupting your access to the data?
  • Think about the physical security of the cloud provider. Your data will be stored on a server in a data centre, which needs to have sufficient security in place.
  • Have a written contract in place with the cloud provider. This is a legal requirement, and means the cloud provider will not be able to change the terms of the service without your agreement.
  • Put a policy in place to make clear the expectations you have of the cloud provider. This is key where services are funded through adverts targeted at your customers: if they’re using personal data and you haven’t asked your customers’ permission, you’re breaking data protection law.
  • Don’t forget that transferring data internationally brings a number of obligations – that includes using cloud storage based abroad.

Speaking as the guide was launched, author Dr Simon Rice, ICO technology policy advisor, said:

“The law on outsourcing data is very clear. As a business, you are responsible for keeping your data safe. You can outsource some of the processing of that data, as happens with cloud computing, but how that data is used and protected remains your responsibility.

“It would be naïve for an organisation to take the attitude that these guidelines are too much effort to simply store some data in a different place. Where personal information is involved, the stakes are high and the ICO has already demonstrated it will act firmly against those who don’t meet data protection laws”

.

65% of businesses do not protect their customers’ private data

According to a survey by GreenSQL more than 65% of businesses do not protect their customers’ private data from unauthorised employees and consultants.

The results are interesting because every day we hear of another data breach or another form of malware which can steal data or at least damage data and you would think that with this amount of coverage business would sit up and start protecting their livelihood because that is what customer information is, their livelihood.

For an idea of the scale of the UK’s problem have a look at my post “Who has breached the Data Protection Act in 2012? Find the complete list here“.

Maybe it is bad news fatigue? Maybe the constant flow of horror stories makes them think that they cannot do anything about it so why bother.

I can understand the sentiment because on a personal level I do not wear a Kevlar jacket and carry pepper spray when I walk my dogs on a cold dark winter evening on the distant chance I might be mugged.

However, business cannot escape their contractual commitment to protect credit card data under the Payment Card Industry’s Data Security Standards (PCI DSS) and they cannot escape the legislative requirements to protect Personally identifiable Information (PII) for example the Data Protection Act and the pending European Wide Data Protection Act.

The survey results fall into three categories

  1. Ignore. 65% take no preventative measures
  2. Think about it. 23% use masking techniques only in non-production environments, such as dummy data and scrambling
  3. Try. 12% deploy dynamic data masking solutions on their production environments

I suspect that those who indicated that they deploy technologies to mask data are talking about credit card data where all payment applications are governed by the Payment Card Industry’s PA DSS but it should be applied to all sensitive data that could cause financial or reputational damage to anyone; customer, employee or contractor.

“Most companies would say protecting customer data is critical to maintaining their business and reputation,” said GreenSQL CEO, Amir Sadeh. “However, something is wrong when we discover that many IT departments are making no masking efforts whatsoever, and others are taking tepid approaches.”

GreenSQL surveyed “hundreds of IT managers and developers at large organizations” about the measures they took to prevent developers, QA, DBAs, consultants, outsourced employees, suppliers and application users from having access to sensitive data.

In summary adding protection to data bases and sensitive data is not hard and with current market trends moving towards cloud based solutions the costs are no longer prohibitive compared to becoming one of those horror stories people keep ignoring.

.

Who has breached the Data Protection Act in 2012? Find the complete list here.

So far 2012 has been a busy year for the Information Commissioners Office (ICO) and with almost three quarters of the year gone I thought I would look at who has fallen foul of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

In the near future I expect the proposed revised and consolidated European wide Data Protection Act to lead to more activity by the ICO, in the UK and across the other 27 member states. Read my summary of the propose European Data Protection Act here.

Below is a summary of the ICO’s activity in 2012 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 6 August 2012 A monetary penalty of £175,000 was issued to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website. Read the details here.
  • 12 July 2012 A monetary penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
  • 5 July 2012 A monetary penalty notice of £150,000 has been served to Welcome Financial Services Limited following a serious breach of the Data Protection Act. The breach led to the personal data of more than half a million customers being lost.
  • 19 June 2012 A monetary penalty notice of £225,000 has been served to Belfast Health and Social Care Trust following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO.
  • 6 June 2012 A monetary penalty for £90,000 has been served to Telford & Wrekin Council for two serious breaches of the seventh data protection principle. A Social Worker sent a core assessment report to the child’s sibling instead of the mother. The assessment contained confidential and highly sensitive personal data. Whilst investigating the first incident, a second incident was reported to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother. Both children had to be re-homed.
  • 1 June 2012 A monetary penalty notice for £325,000 has been served on Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine patients – on hard drives sold on an Internet auction site in October and November 2010. Read the details here.
  • 21 May 2012 A monetary penalty notice for £90,000 has been served on Central London Community Healthcare NHS Trust for a serious contravention of the DPA, which occurred when sensitive personal data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks and compromised 59 data subjects’ personal data. Read the details here.
  • 15 May 2012 A monetary penalty of £70,000 was issued to the London Borough of Barnet following the loss of sensitive information relating to 15 vulnerable children or young people, during a burglary at an employee’s home. Read the details here.
  • 30 April 2012 A monetary penalty of £70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report containing explicit details relating to a patient’s health – was sent to the wrong person. Read the details here.
  • 14 March 2012 A monetary penalty of £70,000 was issued to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl. Read the details here.
  • 15 February 2012 A monetary penalty of £80,000 has been issued to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients. Read the details here.
  • 13 February 2012 A monetary penalty of £100,000 has been issued to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. View a PDF of the Croydon Council monetary penalty notice
  • 13 February 2012 A monetary penalty of £80,000 has been issued to Norfolk County Council for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
  • 30 January 2012 A monetary penalty of £140,000 was issued to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland. Read the details here.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 6 August 2012 An undertaking to comply with the seventh data protection principle has been signed by Marston Properties. This follows the loss of 37 staff members’ details when the filing cabinet the information was stored in was sent to a recycling centre and crushed.
  • 13 July 2012 An undertaking to comply with the seventh data protection principle has been signed by West Lancashire Borough Council. This follows the theft of a business continuity bag containing emergency response documents and personal data relating to 370 council employees.
  • 26 June 2012 An undertaking to comply with the seventh data protection principle has been signed by South Yorkshire Police. This follows the inclusion of personal data relating to drug offences, in response to a Freedom of Information request made by a journalist.
  • 23 May 2012 An undertaking to comply with the seventh data protection principle has been signed by Holroyd Howe Independent Ltd. This follows the release of a document containing details of employees’ pay to a former employee.
  • 30 April 2012 An undertaking to comply with the seventh data protection principle has been signed by the Aneurin Bevan Health Board. This follows an incident where a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person. This breach was also the subject of a monetary penalty.
  • 25 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Safe and Secure Insurances Services Limited. This follows the purchase of a hard drive from the Internet which contained personal data relating to the company’s clients.
  • 18 April 2012 An Undertaking to comply with the seventh data protection principle has been signed by Brecon Beacons National Park Authority. This follows two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Leicestershire County Council, following the theft of a briefcase containing sensitive personal data from a social worker’s home.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Toshiba Information Systems UK Ltd. This follows a web design error that created the potential for unauthorised access to individual’s personal data.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Hertfordshire County Council. This follows the loss of an Attendance and Pupil Support consultation folder in January 2011.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by South London Healthcare NHS Trust. This follows the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. All of the information was recovered.
  • 27 March 2012 An Undertaking has been signed by Pharmacyrepublic Ltd following the theft of a patient medication system containing the medication details of 2000 patients. The system, which was supplied by another firm, should have been securely returned to them by Pharmacyrepublic Ltd before the premises were vacated. Read the details here.
  • 14 March 2012 An undertaking to comply with the seventh data protection principle has been signed by the Lancashire Constabulary. This follows the discovery of a missing person’s report on a street in Blackpool. A monetary penalty has also been issued to the authority in connection with this incident.
  • 9 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Enable Scotland (Leading the Way), after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Community Integrated Care, a national social care charity. This follows the theft of an unencrypted laptop containing personal and sensitive personal data.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by Durham University. This follows the disclosure of personal information in training materials published on its website.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by London Borough of Croydon. This follows the theft of a bag belonging to a social worker from a public house in London. The bag contained a hard copy file of papers concerning a child who is in the care of the Council. This incident was also subject to a monetary penalty which was announced earlier this month.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Dr Pervinder Sanghera of Arthur House Dental Care. This follows the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice.
  • 10 February 2012 Youth charity Fairbridge has signed an undertaking committing the organisation to taking action after the loss of two unencrypted laptops containing employee information.
  • 10 February 2012 Healthcare provider Turning Point has signed an undertaking committing the organisation to take action after the loss of three service users’ files during an office relation.
  • 10 February 2012 Five local authorities have signed undertakings to comply with the seventh data protection principle, following incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
  • 10 February 2012 Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.
  • 10 February 2012 Brighton and Hove Council emailed the details of another member of staff’s annual salary – and the deductions made from this – to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee.
  • 10 February 2012 Undertakings have been signed by • Dacorum Borough Council • Bolton Council • Craven District Council
  • 3 February 2012 An undertaking to comply with the seventh data protection principle has been signed by E*Trade Securities Ltd. This follows a report to the Commissioner concerning missing client files. The files contained limited sensitive personal data including identification documents.
  • 20 January 2012 An undertaking has been signed by Manpower UK Ltd following a breach of the Data Protection Act where a spreadsheet containing 400 people’s personal details was accidentally emailed to 60 employees.
  • 18 January 2012 An undertaking has been signed by the Chartered Institute of Public Relations, following the loss of up to 30 membership forms on a train. The organisation didn’t have a policy in place for handling personal data outside of the office at the time of the incident.
  • 18 January 2012 Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man.

Prosecutions:

  • 2 August 2012. Mohammed Ali Enayet, owner of The Lime Lounge in Cleveleys has been prosecuted by the ICO for failing to register his premises’ use of CCTV equipment.
  • 30 March 2012. SAI Property Investments Limited, trading as IPS Property Services and one of its directors Mr Punjab Sandhu unlawfully obtained details about their tenants from a rogue employee at Slough Borough Council have been found guilty of committing offences under Section 55 of the Data Protection Act 1998 (DPA).
  • 27 February 2012. Pinchas Braun, a letting agent who unlawfully tried to obtain details about a tenant’s finances from the DWP has been found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.
  • 12 January 2012. Juliah Kechil, formerly known as Merritt, a former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

The ICO is not just an enforcer, he offers advice too The Information Commissioner’s 5 Tips on how to better protect personal information .

The list was compiled on the 16th August 2012, updates will be added later so why not subscribe to the blog and automatically get the updates.

 

See Who breached the Data Protection Act in 2013? Find the complete list here.

Blog at WordPress.com.

Up ↑

%d bloggers like this: